CVE-2026-1670

Critical

Published: 17 February 2026

Published

17 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1670 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-8 (Identification and Authentication (Non-organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 directly prohibits unauthenticated access to critical functions like the API endpoint for modifying forgot password recovery email addresses unless explicitly justified and limited.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

IA-8 mandates unique identification and authentication for non-organizational users, blocking unauthenticated remote attackers from exploiting the exposed API.

SC-14 Public Access Protections good match

prevent

SC-14 enforces authentication and safeguards for publicly accessible systems, mitigating the unauthenticated API endpoint exposure.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

Unauthenticated public API endpoint directly enables remote exploitation of a public-facing application (T1190); successful abuse permits unauthorized modification of account recovery settings, mapping to account manipulation (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.

Deeper analysisAI

CVE-2026-1670 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2026-02-17, stemming from CWE-306 (Missing Authentication for Critical Function). It involves an unauthenticated API endpoint exposure in affected products detailed in ICSA-26-048-04, enabling remote modification of the "forgot password" recovery email address without authentication.

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to alter the recovery email, potentially hijacking password reset processes to gain unauthorized access to accounts, resulting in high impacts on confidentiality, integrity, and availability.

Mitigation guidance is provided in official advisories, including CISA's ICSA-26-048-04 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-04, the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-048-04.json, and Honeywell support resources at https://www.honeywell.com/us/en/contact/support. Security practitioners should consult these for patching instructions and workarounds.