CVE-2020-36926
Published: 16 January 2026
Summary
CVE-2020-36926 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Smartertools Smartertrack. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2020-36926 is an information disclosure vulnerability in SmarterTrack version 7922. The issue affects the Chat Management search form, accessible via the /Management/Chat/frmChatSearch.aspx endpoint, which exposes agent identification details including first names, last names, and unique identifiers. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-497.
Remote, unauthenticated attackers can exploit the vulnerability by directly accessing the affected endpoint over the network with low complexity and no user interaction required. Successful exploitation enables retrieval of sensitive agent personal information, which could facilitate targeted social engineering, phishing, or reconnaissance for subsequent attacks.
References include a proof-of-concept exploit on Exploit-DB (ID 50328), vendor resources from SmarterTools, and an advisory from Vulncheck detailing the SmarterTrack information disclosure. Security practitioners should review these sources for any recommended mitigations, such as endpoint access restrictions or software updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3035
Vulnerability details
SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote access to public web endpoint directly enables T1190 exploitation for identity data exposure matching T1589.003 employee names/identifiers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to block unauthenticated access to the /Management/Chat/frmChatSearch.aspx endpoint, preventing disclosure of agent identification details.
Protects publicly accessible endpoints like the vulnerable Chat Management search form from unauthorized logical access and sensitive information disclosure.
Identifies, reports, and corrects the specific information disclosure flaw in SmarterTrack version 7922 through timely flaw remediation.