{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2414", "assignerOrgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "state": "PUBLISHED", "assignerShortName": "HYPR", "dateReserved": "2026-02-12T16:57:17.576Z", "datePublished": "2026-03-25T17:03:03.308Z", "dateUpdated": "2026-03-27T14:56:17.171Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "shortName": "HYPR", "dateUpdated": "2026-03-25T17:03:03.308Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-639", "description": "CWE-639 Authorization bypass through User-Controlled key", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"vendor": "HYPR", "product": "Server", "versions": [{"status": "affected", "version": "9.5.2", "lessThan": "10.7.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.<p>This issue affects Server: from 9.5.2 before 10.7.2.</p>"}]}], "references": [{"url": "https://www.hypr.com/trust-center/security-advisories"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.6, "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:56:11.591601Z", "id": "CVE-2026-2414", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:56:17.171Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2414", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T14:56:11.591601Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:56:14.450Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.6, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HYPR", "product": "Server", "versions": [{"status": "affected", "version": "9.5.2", "lessThan": "10.7.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.hypr.com/trust-center/security-advisories"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2.", "supportingMedia": [{"type": "text/html", "value": "Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.<p>This issue affects Server: from 9.5.2 before 10.7.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization bypass through User-Controlled key"}]}], "providerMetadata": {"orgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "shortName": "HYPR", "dateUpdated": "2026-03-25T17:03:03.308Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2414", "state": "PUBLISHED", "dateUpdated": "2026-03-27T14:56:17.171Z", "dateReserved": "2026-02-12T16:57:17.576Z", "assignerOrgId": "0dc7baee-4a9f-419f-bd0a-e21ec5dac512", "datePublished": "2026-03-25T17:03:03.308Z", "assignerShortName": "HYPR"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hypr:hypr:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F918608-14A1-403C-9A89-EF97D41D525A", "versionEndExcluding": "10.7.2", "versionStartIncluding": "9.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2."}, {"lang": "es", "value": "Elusi\u00f3n de autorizaci\u00f3n a trav\u00e9s de una vulnerabilidad de clave controlada por el usuario en el servidor HYPR permite la escalada de privilegios. Este problema afecta al servidor: desde 9.5.2 antes de 10.7.2."}], "id": "CVE-2026-2414", "lastModified": "2026-04-01T15:39:26.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@hypr.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:57.490", "references": [{"source": "security@hypr.com", "tags": ["Vendor Advisory"], "url": "https://www.hypr.com/trust-center/security-advisories"}], "sourceIdentifier": "security@hypr.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@hypr.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.5.2,10.7.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "server", "vendor": "hypr"}], "analysis": {"en": {"generated_at": "2026-04-02T04:17:42.869615+00:00", "value": {"mitigation_remediation": ["Upgrade HYPR Server to version 10.7.2 or later", "Verify that the upgrade removes the user\u2011controlled key handling flaw", "Restrict network access to the server and monitor for anomalous request patterns while awaiting an update", "Contact HYPR support for assistance if an upgrade cannot be performed immediately"], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "HYPR Server installations between versions 9.5.2 and before 10.7.2 are affected. Users running any release in this range should verify whether their deployment includes the vulnerable implementation of the user\u2011controlled key mechanism.", "description_and_impact": "An authorization bypass flaw in HYPR Server allows an attacker to gain higher privileges on the system. The vulnerability stems from a user\u2011controlled key that is improperly validated, enabling privilege escalation when an attacker supplies a crafted request. The weakness aligns with CWE\u2011639, which concerns improper authorization checks. The impact is the ability for an attacker to execute actions typically reserved for higher\u2011privileged users, potentially compromising data integrity and system control.", "risk_and_exploitability": "The CVSS score of 5.6 denotes a moderate risk level. The EPSS score of less than 1% suggests that exploitation in the wild is currently infrequent, and the vulnerability is not listed in the CISA KEV catalog. Based on the vulnerability description, the likely attack vector involves remotely sending a request that includes a user\u2011controlled key, implying that network access to the server\u2019s API or web interface facilitates exploitation. This inference is made from the nature of the control flow described; the CVE entry does not detail the attack surface explicitly."}}}}, "created": "2026-03-25T21:46:39.444027+00:00", "updated": "2026-04-02T07:59:07.241809+00:00", "vendors": ["hypr", "hypr$PRODUCT$server"]}