Cyber Resilience

CVE-2026-26101

HighLPE

Published: 20 February 2026

Published
20 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 1.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26101 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Owlcyberdefense Opds-Talon. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-26101, published on 2026-02-20, is an Incorrect Permission Assignment for Critical Resource vulnerability (CWE-732) in Owl opds version 2.2.0.4. This flaw enables file manipulation via a crafted network request due to improper permissions on a critical resource. The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with local access vector, low attack complexity, and low privileges required.

A local attacker with low privileges (PR:L) can exploit this vulnerability without user interaction by sending a crafted network request. Successful exploitation allows file manipulation on critical resources, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).

Mitigation details are provided in the advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26101.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Incorrect permission assignment (CWE-732) on a critical resource directly enables abuse of file system permissions weakness (T1044) by a low-privileged local attacker; the resulting file manipulation with high C/I/A impact constitutes exploitation of a software vulnerability for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26102Same product: Owlcyberdefense Opds-100
CVE-2026-26093Same product: Owlcyberdefense Opds-100
CVE-2026-2333Same product: Owlcyberdefense Opds-100
CVE-2019-25343Shared CWE-732
CVE-2026-22676Shared CWE-732
CVE-2019-25344Shared CWE-732
CVE-2025-33088Shared CWE-732
CVE-2025-21325Shared CWE-732
CVE-2025-12985Shared CWE-732
CVE-2026-25112Shared CWE-732

Affected Assets

owlcyberdefense
opds-talon
2.2.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Employs least privilege to prevent low-privilege local attackers from manipulating critical resources via crafted network requests.

prevent

Enforces approved authorizations on critical resources, directly countering incorrect permission assignments that enable file manipulation.

prevent

Mandates secure configuration settings for critical resources, including proper file permissions, to mitigate improper assignments in Owl opds.

References