CVE-2026-22727

High

Published: 17 March 2026

Published

17 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 1.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22727 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Cloudfoundry (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 directly addresses missing authentication for critical functions by requiring identification and restriction of unprotected endpoints that allow replacement of droplets and access to secure application information.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for logical access to internal endpoints and resources, preventing unauthorized users from replacing droplets and applications after firewall bypass.

SC-7 Boundary Protection partial match

prevent

SC-7 monitors and controls communications at key internal boundaries, providing additional protection for unprotected endpoints even if the perimeter firewall has been bypassed.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Missing authentication on internal CAPI endpoints directly enables exploitation of remote Cloud Foundry services (post-firewall bypass) to modify/replace applications and access sensitive data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Unprotected internal endpoints in Cloud Foundry Capi Release 1.226.0 and below, and CF Deployment v54.9.0 and below on all platforms allows any user who has bypassed the firewall to potentially replace droplets and therefore applications allowing them to access secure…

application information.

Deeper analysisAI

CVE-2026-22727 involves unprotected internal endpoints in Cloud Foundry Capi Release 1.226.0 and below, as well as CF Deployment v54.9.0 and below across all platforms. Published on 2026-03-17, this vulnerability, linked to CWE-306 (Missing Authentication for Critical Function), carries a CVSS v3.1 base score of 7.5 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high impacts on confidentiality, integrity, and availability with adjacent network access and high attack complexity required.

Attackers who have already bypassed the platform's firewall can exploit these endpoints without privileges to replace droplets and applications, potentially accessing secure application information. No user interaction is needed, but exploitation demands network proximity and circumvention of perimeter defenses.

The Cloud Foundry advisory provides further details on mitigation at https://www.cloudfoundry.org/blog/cve-2026-22727-unprotected-internal-endpoints.