{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28261", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-02-25T18:04:25.462Z", "datePublished": "2026-04-08T12:43:54.291Z", "dateUpdated": "2026-04-09T03:55:55.676Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-08T12:43:54.291Z"}, "datePublic": "2026-04-05T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "affected": [{"vendor": "Dell", "product": "Elastic Cloud Storage", "versions": [{"status": "affected", "version": "0", "lessThan": "4.2.0.1 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Dell", "product": "ObjectScale", "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.0.3", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "4.2.0.1 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale,\u00a0versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account."}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-28261"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T03:55:55.676Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T13:55:34.659222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T13:55:38.761Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "Elastic Cloud Storage", "versions": [{"status": "affected", "version": "0", "lessThan": "4.2.0.1 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Dell", "product": "ObjectScale", "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.0.3", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "4.2.0.1 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-05T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale,\u00a0versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.", "supportingMedia": [{"type": "text/html", "value": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-08T12:43:54.291Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28261", "state": "PUBLISHED", "dateUpdated": "2026-04-09T03:55:55.676Z", "dateReserved": "2026-02-25T18:04:25.462Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-04-08T12:43:54.291Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:elastic_cloud_storage:*:*:*:*:*:*:*:*", "matchCriteriaId": "950FB7D3-F08F-4FB1-8755-B0BE20AF7299", "versionEndExcluding": "4.2.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:objectscale:*:*:*:*:*:*:*:*", "matchCriteriaId": "748662DA-E2CE-45DB-B05E-0C91B27FF232", "versionEndExcluding": "4.1.0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:objectscale:4.2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "811FBEA7-6305-4DC7-B082-51C3A78C192D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale,\u00a0versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account."}], "id": "CVE-2026-28261", "lastModified": "2026-04-13T18:20:21.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T13:16:41.533", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.2.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Elastic Cloud Storage", "source": "cna", "vendor": "Dell"}, "product": "elastic_cloud_storage", "vendor": "dell"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.1.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.2.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ObjectScale", "source": "cna", "vendor": "Dell"}, "product": "objectscale", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-13T19:51:49.226122+00:00", "value": {"mitigation_remediation": ["Apply the Dell security update referenced in the Dell Knowledge Base article to upgrade to a non\u2011affected release of Elastic Cloud Storage or ObjectScale.", "Configure the product or the underlying operating system so that log files do not contain sensitive data and are protected from read access by non\u2011privileged local users, using file permissions.", "If a patch cannot be applied promptly, restrict access to the log directories and monitor for any unauthorized read activity.", "Check the Dell website for newer advisories or supplemental mitigations if the current fix does not fully cover the environment."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "Affected are Dell Elastic Cloud Storage releases 3.8.1.7 and earlier and Dell ObjectScale versions before 4.1.0.3, as well as version 4.2.0.0. Any deployment of these products that has not applied the security update listed in the Dell Knowledge Base article is at risk. The vulnerability is present whenever the product is installed on a system that writes sensitive data to its logs.", "description_and_impact": "The vulnerability allows a low\u2011privileged local user to cause system components to write sensitive data, such as authentication tokens or credentials, directly to log files. The insertion of this data into logs violates confidentiality and may let the attacker read those logs and extract secrets. By leveraging the exposed secrets, an attacker could potentially access the system with the privileges of the compromised local account. The weakness is classified as CWE\u2011532, an insertion of sensitive information into log files.", "risk_and_exploitability": "The CVSS base score of 7.8 indicates a high severity level based solely on potential for secret disclosure. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires local, non\u2011privileged access and the ability to read log files, which is typically available to any local user on the host. If an attacker can read the logs they can obtain secrets; the description does not indicate any remote exploitation paths or denial\u2011of\u2011service impact. The risk is therefore confined to confidentiality compromise and potential local privilege or other exploitation that may follow."}}}}, "created": "2026-04-08T19:27:05.482021+00:00", "updated": "2026-04-14T16:38:16.846064+00:00", "vendors": ["dell", "dell$PRODUCT$elastic_cloud_storage", "dell$PRODUCT$objectscale"]}