Cyber Resilience

CVE-2026-21626

Critical

Published: 06 February 2026

Published
06 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21626 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Stackideas Easydiscuss. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2026-21626 affects the EasyDiscuss forum software from StackIdeas, where access control settings for forum post custom fields are not applied to the JSON output type. This results in an access control list (ACL) violation that enables information disclosure, mapped to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability received a CVSS v3.1 base score of 7.5 and was published on 2026-02-06.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows disclosure of sensitive information from custom fields via the JSON output (C:H), with no impact on integrity or availability and unchanged scope (S:U).

Mitigation details are available in the vendor advisory at https://stackideas.com/easydiscuss.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing web app (forum) for unauthorized data access via ACL bypass.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21625Same product: Stackideas Easydiscuss
CVE-2026-34297Shared CWE-200
CVE-2025-22918Shared CWE-200
CVE-2026-2262Shared CWE-200
CVE-2026-22237Shared CWE-200
CVE-2026-23659Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2026-32098Shared CWE-200
CVE-2026-24422Shared CWE-200
CVE-2025-25951Shared CWE-200

Affected Assets

stackideas
easydiscuss
1.0.0 — 5.0.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information across all outputs, directly preventing ACL bypass in JSON format for custom fields.

prevent

Filters information prior to output to prevent unauthorized disclosure of sensitive custom field data via JSON responses.

detectrespond

Monitors system activity for unauthorized information disclosures like those from JSON ACL violations and triggers alerts and responses.

References