CVE-2026-2339
Published: 10 March 2026
Summary
CVE-2026-2339 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Gov (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-2339 is a Missing Authentication for Critical Function vulnerability, classified under CWE-306, in the Liderahenk software developed by TUBITAK BILGEM Software Technologies Research Institute. This flaw affects Liderahenk versions prior to 3.5.1 and enables remote code inclusion, privilege abuse, and command injection when authentication is bypassed for critical functions.
The vulnerability carries a CVSS v3.1 base score of 7.5 (High), with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. Remote attackers require no privileges but must overcome high attack complexity and rely on user interaction to exploit it over the network. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution and privilege escalation.
The advisory published by USOM on March 10, 2026, provides further details at https://www.usom.gov.tr/bildirim/tr-26-0087. Upgrading to Liderahenk version 3.5.1 resolves the issue for affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10494
Vulnerability details
Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection. This issue affects Liderahenk: before 3.5.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing auth (CWE-306) on critical functions directly enables remote exploitation of a public-facing app (T1190) for command injection (T1059) and privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses missing authentication for critical functions by requiring identification, documentation, and restriction of permitted actions without identification or authentication.
Enforces approved authorizations for logical access to critical functions, preventing exploitation via remote code inclusion, privilege abuse, and command injection.
Remediates the specific flaw in Liderahenk versions prior to 3.5.1 through timely patching to the fixed version 3.5.1.