{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26102", "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "state": "PUBLISHED", "assignerShortName": "Nozomi", "dateReserved": "2026-02-11T09:59:47.767Z", "datePublished": "2026-02-20T16:56:18.873Z", "dateUpdated": "2026-02-20T23:02:51.636Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "opds", "vendor": "Owl", "versions": [{"lessThanOrEqual": "2.2.0.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Luca Borzacchiello at Nozomi Networks"}, {"lang": "en", "type": "finder", "value": "Gabriele Quagliarella at Nozomi Networks"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.<br>"}], "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request."}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.5, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "shortName": "Nozomi", "dateUpdated": "2026-02-20T16:56:18.873Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26102"}], "source": {"discovery": "UNKNOWN"}, "title": "Incorrect Permission Assignment for Critical Resource in Owl opds", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T17:42:44.564322Z", "id": "CVE-2026-26102", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T23:02:51.636Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26102", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T17:42:44.564322Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T17:42:51.788Z"}}], "cna": {"title": "Incorrect Permission Assignment for Critical Resource in Owl opds", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Luca Borzacchiello at Nozomi Networks"}, {"lang": "en", "type": "finder", "value": "Gabriele Quagliarella at Nozomi Networks"}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Owl", "product": "opds", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.0.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26102", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "shortName": "Nozomi", "dateUpdated": "2026-02-20T16:56:18.873Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26102", "state": "PUBLISHED", "dateUpdated": "2026-02-20T23:02:51.636Z", "dateReserved": "2026-02-11T09:59:47.767Z", "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "datePublished": "2026-02-20T16:56:18.873Z", "assignerShortName": "Nozomi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8B979FF6-C6CD-47C0-9409-EBF036DB39E6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:owlcyberdefense:opds-100:-:*:*:*:*:*:*:*", "matchCriteriaId": "76B6558D-D323-40D3-99A7-909C24D49951", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8B979FF6-C6CD-47C0-9409-EBF036DB39E6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:owlcyberdefense:opds-1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FA72CA3A-BE76-49B0-A670-3EB19D29333D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request."}, {"lang": "es", "value": "Asignaci\u00f3n incorrecta de permisos para un recurso cr\u00edtico en Owl opds 2.2.0.4 permite la manipulaci\u00f3n de archivos mediante una solicitud de red especialmente dise\u00f1ada."}], "id": "CVE-2026-26102", "lastModified": "2026-02-27T17:00:09.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "prodsec@nozominetworks.com", "type": "Secondary"}]}, "published": "2026-02-20T17:25:55.120", "references": [{"source": "prodsec@nozominetworks.com", "tags": ["Third Party Advisory"], "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26102"}], "sourceIdentifier": "prodsec@nozominetworks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "prodsec@nozominetworks.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "opds", "source": "cna", "vendor": "Owl"}, "product": "opds", "vendor": "owl"}], "analysis": {"en": {"generated_at": "2026-04-18T11:29:12.120942+00:00", "value": {"mitigation_remediation": ["Upgrade the Owl opds\u2011talon appliance to the latest firmware that includes the patched permission enforcement logic.", "If a patch is unavailable, isolate the device from untrusted networks and restrict management\u2011interface access to trusted IP ranges using firewall or VLAN rules.", "Reconfigure file permissions on all critical resources to the minimum necessary level, ensuring non\u2011administrative roles have no write access and that ACLs reflect the intended security posture.", "Enable file\u2011integrity monitoring to detect unauthorized modifications to configuration files and alert administrators promptly."], "summary": {"action": "Patch", "impact": "File Manipulation"}, "threat_synthesis": {"affected_systems": "Products from Owl Cyberdefense are impacted, specifically the Owl opds\u2011talon platform version 2.2.0.4. Earlier OPDS releases such as opds\u20111000 and opds\u2011100 may also use the same code path and could share the vulnerability, but only 2.2.0.4 is confirmed. The affected environment is a hardware appliance that exposes a management interface over the network.", "description_and_impact": "A misassignment of file permissions allows an attacker to modify or delete critical files on the device. A specially crafted network request can overwrite legitimate configuration files or inject malicious code, compromising data integrity and potentially leading to further exploitation. The flaw is identified as CWE\u2011732, indicating incorrect permission assignment that unintentionally exposes sensitive resources.", "risk_and_exploitability": "The advisory rates the vulnerability high with a CVSS score of 8.5, yet the EPSS score is reported as less than 1%, indicating a low likelihood of current exploitation. The issue is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, requiring the attacker to send a crafted request to the device\u2019s exposed management interface. No explicit authentication requirement is noted, so the service may be exploitable without credentials, but the exact prerequisites remain uncertain. Successful exploitation would enable manipulation of critical system files, undermining the integrity and availability of the device."}}}}, "created": "2026-02-23T14:35:25.808803+00:00", "updated": "2026-04-18T11:30:44.327480+00:00", "vendors": ["owl", "owl$PRODUCT$opds"]}