CVE-2026-34184
Published: 09 April 2026
Summary
CVE-2026-34184 is a critical-severity Missing Authorization (CWE-862) vulnerability in Hydrosystem.Poznan Control System. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires the system to enforce approved authorizations for logical access to information and resources such as the vulnerable directories, directly preventing unauthorized reads and executions.
Mandates timely flaw remediation including patching to version 9.8.5, eliminating the missing authorization vulnerability.
Monitors system and network connections to detect unauthorized access and exploitation of unprotected directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authorization vulnerability in a public-facing control system application, enabling remote exploitation (T1190), access to local files (T1005), and execution of arbitrary PHP scripts (T1059).
NVD Description
Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This…
more
issue was fixed in Hydrosystem Control System version 9.8.5
Deeper analysisAI
CVE-2026-34184 is a missing authorization vulnerability (CWE-862) in the Hydrosystem Control System, where the software fails to enforce authorization checks for certain directories. This flaw affects versions prior to 9.8.5 of the Hydrosystem Control System, allowing unauthorized access to sensitive files within those directories. The vulnerability has a CVSS v3.1 base score of 9.1 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality and integrity.
An unauthenticated attacker with network access can exploit this vulnerability remotely by directly accessing the unprotected directories. Successful exploitation enables the attacker to read all files in these directories, execute certain files, and critically, run arbitrary PHP scripts directly on the connected database, potentially leading to data exfiltration, modification, or further system compromise.
The issue was addressed in Hydrosystem Control System version 9.8.5, which patches the authorization enforcement. Additional details are available in advisories from CERT Polska at https://cert.pl/posts/2026/04/CVE-2026-4901/ and the vendor site at https://www.hydrosystem.poznan.pl/. Security practitioners should upgrade to the fixed version and review access controls on exposed directories.
Details
- CWE(s)