Cyber Posture

CVE-2026-27102

Medium

Published: 08 April 2026

Published
08 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0001 3.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27102 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Dell Powerscale Onefs. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the incorrect privilege assignment vulnerability by requiring timely installation of vendor patches as provided in Dell's DSA-2026-125 advisory.

AC-6 Least Privilege good match
prevent

Enforces least privilege to restrict low-privileged local users from escalating access due to incorrect privilege assignments.

AC-2 Account Management good match
prevent

Manages account privileges to identify, assign, and review incorrect privilege assignments that enable local escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local privilege escalation via incorrect privilege assignment (CWE-266) directly maps to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dell PowerScale OneFS, versions 9.5.0.0 through 9.10.1.6 and versions 9.11.0.0 through 9.13.0.1, contains an incorrect privilege assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges.

Deeper analysisAI

CVE-2026-27102 is an incorrect privilege assignment vulnerability (CWE-266) in Dell PowerScale OneFS, affecting versions 9.5.0.0 through 9.10.1.6 and 9.11.0.0 through 9.13.0.1. Published on 2026-04-08, it carries a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H), indicating medium severity with local attack vector, low attack complexity, and impacts across confidentiality, integrity, and high availability.

A low-privileged attacker with local access can exploit this vulnerability to elevate privileges on the affected system. The exploit requires no user interaction and has unchanged scope, potentially allowing the attacker to gain higher-level access beyond their initial permissions.

Dell has addressed this issue in security advisory DSA-2026-125, available at https://www.dell.com/support/kbdoc/en-us/000449337/dsa-2026-125-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities, which provides patches for this and multiple other vulnerabilities in PowerScale OneFS. Security practitioners should apply the relevant updates to affected versions.

Details

CWE(s)
CWE-266

Affected Products

dell
powerscale onefs
9.5.0.0 — 9.10.1.7 · 9.11.0.0 — 9.13.0.2

CVEs Like This One

CVE-2026-21425Same product: Dell Powerscale Onefs
CVE-2026-25907Same product: Dell Powerscale Onefs
CVE-2026-22279Same product: Dell Powerscale Onefs
CVE-2026-22278Same product: Dell Powerscale Onefs
CVE-2024-49561Same vendor: Dell
CVE-2026-22267Same vendor: Dell
CVE-2026-32655Same vendor: Dell
CVE-2025-21105Same vendor: Dell
CVE-2026-25906Same vendor: Dell
CVE-2026-23857Same vendor: Dell

References