CVE-2026-26417
Published: 05 March 2026
Summary
CVE-2026-26417 is a high-severity Improper Access Control (CWE-284) vulnerability in Tcs Cognix Platform. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-26417 is a broken access control vulnerability (CWE-284) in the password reset functionality of Tata Consultancy Services Cognix Recon Client version 3.0. Published on 2026-03-05, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts without requiring user interaction or elevated privileges beyond basic authentication.
An authenticated user with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) by crafting malicious requests to the password reset endpoint. This allows the attacker to reset passwords for arbitrary user accounts, potentially enabling full account takeover and unauthorized access to sensitive data or systems associated with those accounts.
Advisories and further details are available in the dedicated repositories at https://github.com/aksalsalimi/CVE-2026-26417 and https://github.com/aksalsalimi/cognix-recon-client-security-advisories, which provide additional context on the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9841
Vulnerability details
A broken access control vulnerability in the password reset functionality of Tata Consultancy Services Cognix Recon Client v3.0 allows authenticated users to reset passwords of arbitrary user accounts via crafted requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control in password reset allows low-priv authenticated user to arbitrarily reset any account password, directly enabling account manipulation (T1098) for takeover, abuse of valid accounts (T1078), and privilege escalation via the resulting access (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved access control policies to prevent low-privileged authenticated users from resetting passwords of arbitrary accounts via the vulnerable endpoint.
Mandates secure authenticator management with identity verification, directly mitigating unauthorized password resets for arbitrary users.
Limits privileges to the least necessary, reducing the risk of low-privileged users accessing password reset functions for other accounts.