{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26095", "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "state": "PUBLISHED", "assignerShortName": "Nozomi", "dateReserved": "2026-02-11T09:59:47.766Z", "datePublished": "2026-02-20T16:51:57.085Z", "dateUpdated": "2026-02-20T23:04:03.576Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "opds", "vendor": "Owl", "versions": [{"lessThanOrEqual": "2.2.0.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Luca Borzacchiello at Nozomi Networks"}, {"lang": "en", "type": "finder", "value": "Gabriele Quagliarella at Nozomi Networks"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.<br>"}], "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request."}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.5, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "shortName": "Nozomi", "dateUpdated": "2026-02-20T16:51:57.085Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26095"}], "source": {"discovery": "UNKNOWN"}, "title": "Incorrect Permission Assignment for Critical Resource in Owl opds", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T17:56:42.627632Z", "id": "CVE-2026-26095", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T23:04:03.576Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26095", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T17:56:42.627632Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T17:57:07.740Z"}}], "cna": {"title": "Incorrect Permission Assignment for Critical Resource in Owl opds", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Luca Borzacchiello at Nozomi Networks"}, {"lang": "en", "type": "finder", "value": "Gabriele Quagliarella at Nozomi Networks"}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Owl", "product": "opds", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26095", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "shortName": "Nozomi", "dateUpdated": "2026-02-20T16:51:57.085Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26095", "state": "PUBLISHED", "dateUpdated": "2026-02-20T23:04:03.576Z", "dateReserved": "2026-02-11T09:59:47.766Z", "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "datePublished": "2026-02-20T16:51:57.085Z", "assignerShortName": "Nozomi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8B979FF6-C6CD-47C0-9409-EBF036DB39E6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:owlcyberdefense:opds-100:-:*:*:*:*:*:*:*", "matchCriteriaId": "76B6558D-D323-40D3-99A7-909C24D49951", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8B979FF6-C6CD-47C0-9409-EBF036DB39E6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:owlcyberdefense:opds-1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FA72CA3A-BE76-49B0-A670-3EB19D29333D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request."}, {"lang": "es", "value": "Asignaci\u00f3n incorrecta de permisos para un recurso cr\u00edtico en Owl opds 2.2.0.4 permite la manipulaci\u00f3n de archivos mediante una solicitud de red manipulada."}], "id": "CVE-2026-26095", "lastModified": "2026-02-27T17:07:55.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "prodsec@nozominetworks.com", "type": "Secondary"}]}, "published": "2026-02-20T17:25:54.007", "references": [{"source": "prodsec@nozominetworks.com", "tags": ["Third Party Advisory"], "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26095"}], "sourceIdentifier": "prodsec@nozominetworks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "prodsec@nozominetworks.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "opds", "source": "cna", "vendor": "Owl"}, "product": "opds", "vendor": "owl"}], "analysis": {"en": {"generated_at": "2026-04-18T11:29:46.206104+00:00", "value": {"mitigation_remediation": ["Upgrade to a firmware release that corrects the permission handling flaw (consult Owl CyberDefense support for the latest patch or release).", "Restrict external network access to the device\u2019s management interface through firewalls or VPNs so that only trusted administrators can reach it.", "Enable audit logging for file write operations and configure alerts for unexpected changes to critical configuration or system files."], "summary": {"action": "Apply Patch", "impact": "File Manipulation"}, "threat_synthesis": {"affected_systems": "Owl CyberDefense Opds hardware models Opds\u20111000 and Opds\u2011100, as well as the Opds Talon version 2.2.0.4, are affected. The vulnerability is documented for the 2.2.0.4 firmware, and users of earlier or earlier generation hardware should verify whether the same permission logic applies. Vendors and administrators should check the exact device model and firmware version against the CVE advisory to determine if the device is impacted.", "description_and_impact": "The vulnerability arises from incorrect permission assignment on a critical resource within Owl CyberDefense Opds, allowing an attacker to manipulate files on the device through a crafted network request. This flaw can enable modification of configuration, firmware, or other system files, potentially facilitating further compromise or denial of service. The weakness is classified as CWE\u2011732, indicating improper access control over write permissions.", "risk_and_exploitability": "The CVSS score of 8.5 classifies the issue as high severity, while the EPSS score of less than 1 percent indicates a very low probability of exploitation at present. The likely attack vector is over the network, as the description indicates that a crafted network request can trigger file manipulation. Since the vulnerability is not listed in the CISA KEV catalogue, there is no evidence of widespread exploitation, but its high severity and the potential for critical file changes warrant prompt mitigation."}}}}, "created": "2026-02-23T14:35:32.760182+00:00", "updated": "2026-04-18T11:30:44.328684+00:00", "vendors": ["owl", "owl$PRODUCT$opds"]}