CVE-2026-28261

High

Published: 08 April 2026

Published

08 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 3.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28261 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Dell Objectscale. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Credentials In Files (T1552.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AU-9 Protection of Audit Information good match

prevent

AU-9 requires protecting audit information from unauthorized access, modification, and deletion, directly preventing low-privileged local attackers from reading sensitive secrets in exposed log files.

SI-11 Error Handling good match

prevent

SI-11 mandates error handling that avoids disclosing exploitable information, directly addressing the insertion of sensitive data into log files.

SC-4 Information in Shared System Resources partial match

prevent

SC-4 prevents unauthorized transfer of information via shared system resources like log files accessible to low-privileged users.

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Vulnerability directly inserts secrets into local log files (CWE-532), enabling adversaries to discover and read insecurely stored credentials via local file access on the system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability,…

leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.

Deeper analysisAI

CVE-2026-28261 is an Insertion of Sensitive Information into Log File vulnerability (CWE-532) present in Dell Elastic Cloud Storage version 3.8.1.7 and prior, as well as Dell ObjectScale versions prior to 4.1.0.3 and version 4.2.0.0. This flaw allows sensitive information to be logged, potentially exposing secrets. The vulnerability was published on 2026-04-08 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts under local access conditions.

A low-privileged attacker with local access to the affected systems can exploit this vulnerability by accessing the log files containing the inserted sensitive information. Successful exploitation leads to secret exposure, enabling the attacker to use those secrets to gain access to the vulnerable system with the privileges of the compromised account.

Dell's security advisory DSA-2026-143, detailed at https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability, provides security updates addressing this vulnerability in the affected Dell ObjectScale versions.

Details

CWE(s): CWE-532

Affected Products

dell

elastic cloud storage

≤ 4.2.0.1

dell

objectscale

4.2.0.0 · ≤ 4.1.0.3

CVEs Like This One

CVE-2026-22273Same product: Dell Elastic Cloud Storage

CVE-2026-22271Same product: Dell Elastic Cloud Storage

CVE-2025-23374Same vendor: Dell

CVE-2026-23775Same vendor: Dell

CVE-2024-48831Same vendor: Dell

CVE-2026-21417Same vendor: Dell

CVE-2025-21111Same vendor: Dell

CVE-2025-36589Same vendor: Dell

CVE-2025-21102Same vendor: Dell

CVE-2025-36568Same vendor: Dell

References

https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability
Vendor Advisory · security_alert@emc.com