{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2449", "assignerOrgId": "80f39f49-2521-4ee7-9e17-af5d55e8032f", "state": "PUBLISHED", "assignerShortName": "upKeeper", "dateReserved": "2026-02-13T09:53:46.219Z", "datePublished": "2026-04-14T11:56:04.741Z", "dateUpdated": "2026-04-14T13:14:16.593Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "80f39f49-2521-4ee7-9e17-af5d55e8032f", "shortName": "upKeeper", "dateUpdated": "2026-04-14T11:57:23.354Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-88", "description": "CWE-88 Improper neutralization of argument delimiters in a command ('argument injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-30", "descriptions": [{"lang": "en", "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"}]}], "affected": [{"vendor": "upKeeper Solutions", "product": "upKeeper Instant Privilege Access", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.<p>This issue affects upKeeper Instant Privilege Access: through 1.5.0.</p>"}]}], "references": [{"url": "https://support.upkeeper.se/hc/en-us/articles/26783425404444-CVE-2026-2449-Improper-neutralization-of-argument-delimiters-in-a-command"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Tony Nilsson", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2449", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T13:02:37.257685Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:16.593Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2449", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T13:02:37.257685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:08:46.449Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Tony Nilsson"}], "impacts": [{"capecId": "CAPEC-30", "descriptions": [{"lang": "en", "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "upKeeper Solutions", "product": "upKeeper Instant Privilege Access", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.upkeeper.se/hc/en-us/articles/26783425404444-CVE-2026-2449-Improper-neutralization-of-argument-delimiters-in-a-command"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.", "supportingMedia": [{"type": "text/html", "value": "Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.<p>This issue affects upKeeper Instant Privilege Access: through 1.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper neutralization of argument delimiters in a command ('argument injection')"}]}], "providerMetadata": {"orgId": "80f39f49-2521-4ee7-9e17-af5d55e8032f", "shortName": "upKeeper", "dateUpdated": "2026-04-14T11:57:23.354Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2449", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:16.593Z", "dateReserved": "2026-02-13T09:53:46.219Z", "assignerOrgId": "80f39f49-2521-4ee7-9e17-af5d55e8032f", "datePublished": "2026-04-14T11:56:04.741Z", "assignerShortName": "upKeeper"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0."}], "id": "CVE-2026-2449", "lastModified": "2026-04-17T15:24:57.753", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "80f39f49-2521-4ee7-9e17-af5d55e8032f", "type": "Secondary"}]}, "published": "2026-04-14T12:16:21.590", "references": [{"source": "80f39f49-2521-4ee7-9e17-af5d55e8032f", "url": "https://support.upkeeper.se/hc/en-us/articles/26783425404444-CVE-2026-2449-Improper-neutralization-of-argument-delimiters-in-a-command"}], "sourceIdentifier": "80f39f49-2521-4ee7-9e17-af5d55e8032f", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "80f39f49-2521-4ee7-9e17-af5d55e8032f", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "upKeeper Instant Privilege Access", "source": "cna", "vendor": "upKeeper Solutions"}, "product": "upkeeper_instant_privlege_access", "vendor": "upkeeper_solutions"}], "analysis": {"en": {"generated_at": "2026-04-14T13:20:29.509178+00:00", "value": {"mitigation_remediation": ["Update to the latest patched release of upKeeper Instant Privilege Access that addresses CVE-2026-2449.", "If a patch is not yet available, restrict access to privileged threads and monitor for abnormal activity.", "Apply general command injection mitigation best practices, such as validating and sanitizing command arguments.", "Check the vendor's support portal for additional guidance at https://support.upkeeper.se/hc/en-us/articles/26783425404444-CVE-2026-2449-Improper-neutralization-of-argument-delimiters-in-a-command."], "summary": {"action": "Patch Now", "impact": "Privilege Escalation via Argument Injection"}, "threat_synthesis": {"affected_systems": "Impact is limited to the upKeeper Instant Privilege Access product from upKeeper Solutions. All installations running version 1.5.0 or earlier are vulnerable. The advisory does not list additional affected versions, nor does it specify any other products. Users should verify that their deployments are running 1.5.0 or earlier to determine exposure.", "description_and_impact": "We are dealing with an argument injection flaw in upKeeper Solutions' upKeeper Instant Privilege Access. The vulnerability arises from improper neutralization of argument delimiters in shell commands, allowing an attacker to inject malicious arguments. This can hijack a privileged thread of execution, giving the attacker elevated privileges without authentication. The weakness corresponds to CWE\u201188, an argument injection issue that undermines input validation and command execution integrity.", "risk_and_exploitability": "The CVSS base score of 9.0 indicates a high severity vulnerability with potential for complete compromise of affected systems. No EPSS score is available, but the lack of exposure in the CISA KEV catalog suggests no widely known public exploits yet. The attack vector is likely local, relying on the ability to supply unsanitized arguments to a privileged command, though a remote vector is possible if the application accepts input from external sources. Until a patch is deployed, the risk remains significant."}}}}, "created": "2026-04-14T16:15:36.043049+00:00", "title": "Privilege Escalation via Argument Injection in upKeeper Instant Privilege Access", "updated": "2026-04-14T16:30:32.973438+00:00", "vendors": ["upkeeper_solutions", "upkeeper_solutions$PRODUCT$upkeeper_instant_privlege_access"]}