Cyber Resilience

CVE-2026-28261

High

Published: 08 April 2026

Published
08 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 3.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28261 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Dell Objectscale. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-9 (Protection of Audit Information) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-28261 is an Insertion of Sensitive Information into Log File vulnerability (CWE-532) present in Dell Elastic Cloud Storage version 3.8.1.7 and prior, as well as Dell ObjectScale versions prior to 4.1.0.3 and version 4.2.0.0. This flaw allows sensitive information to be logged, potentially exposing secrets. The vulnerability was published on 2026-04-08 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts under local access conditions.

A low-privileged attacker with local access to the affected systems can exploit this vulnerability by accessing the log files containing the inserted sensitive information. Successful exploitation leads to secret exposure, enabling the attacker to use those secrets to gain access to the vulnerable system with the privileges of the compromised account.

Dell's security advisory DSA-2026-143, detailed at https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability, provides security updates addressing this vulnerability in the affected Dell ObjectScale versions.

EU & UK References

Vulnerability details

Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability,…

more

leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability directly inserts secrets into local log files (CWE-532), enabling adversaries to discover and read insecurely stored credentials via local file access on the system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40636Same product: Dell Elastic Cloud Storage
CVE-2026-35157Same product: Dell Elastic Cloud Storage
CVE-2026-22273Same product: Dell Elastic Cloud Storage
CVE-2026-22271Same product: Dell Elastic Cloud Storage
CVE-2026-23775Same vendor: Dell
CVE-2025-23374Same vendor: Dell
CVE-2024-48831Same vendor: Dell
CVE-2026-21417Same vendor: Dell
CVE-2025-21111Same vendor: Dell
CVE-2025-36589Same vendor: Dell

Affected Assets

dell
elastic cloud storage
≤ 4.2.0.1
dell
objectscale
4.2.0.0 · ≤ 4.1.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AU-9 requires protecting audit information from unauthorized access, modification, and deletion, directly preventing low-privileged local attackers from reading sensitive secrets in exposed log files.

prevent

SI-11 mandates error handling that avoids disclosing exploitable information, directly addressing the insertion of sensitive data into log files.

prevent

SC-4 prevents unauthorized transfer of information via shared system resources like log files accessible to low-privileged users.

References