Cyber Resilience

CVE-2026-26102

HighLPE

Published: 20 February 2026

Published
20 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 1.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26102 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Owlcyberdefense Opds-Talon. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-26102 is an Incorrect Permission Assignment for Critical Resource vulnerability (CWE-732) affecting Owl opds version 2.2.0.4. It enables file manipulation through a crafted network request due to improper permissions on a critical resource. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with significant impacts on confidentiality, integrity, and availability.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. By sending a crafted network request, the attacker can manipulate files, potentially leading to unauthorized data access, modification, or deletion on the affected system.

The primary advisory reference is available from Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26102, which provides details relevant to mitigation strategies. The vulnerability was published on 2026-02-20T17:25:55.120.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The described CWE-732 weakness directly matches T1044 (incorrect file system permissions on a critical resource). Exploitation by a local low-privileged attacker enables unauthorized local file access (T1005) and stored data manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26101Same product: Owlcyberdefense Opds-100
CVE-2026-26093Same product: Owlcyberdefense Opds-100
CVE-2026-2333Same product: Owlcyberdefense Opds-100
CVE-2025-33088Shared CWE-732
CVE-2026-23648Shared CWE-732
CVE-2025-0590Shared CWE-732
CVE-2019-25343Shared CWE-732
CVE-2026-22676Shared CWE-732
CVE-2019-25344Shared CWE-732
CVE-2024-57547Shared CWE-732

Affected Assets

owlcyberdefense
opds-talon
2.2.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent low-privileged local attackers from manipulating critical resources due to incorrect permission assignments.

prevent

Enforces approved authorizations for access to system resources, directly countering improper permissions that allow file manipulation via crafted network requests.

prevent

Restricts access to changes such as file manipulations to authorized roles only, mitigating unauthorized modifications enabled by incorrect permissions on critical resources.

References