Cyber Resilience

CVE-2026-4536

Medium

Published: 22 March 2026

Published
22 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4536 is a medium-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4536 is a vulnerability discovered in the Acrel Environmental Monitoring Cloud Platform version 1.1.0, affecting some unknown processing component. It allows for unrestricted file upload through manipulation, classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as potential unauthorized file placement that could lead to further compromise depending on the uploaded content. An exploit has been made public and is available for use.

Advisories referenced in VulDB entries (ctiid.352324, id.352324, submit.774423) and a GitHub repository detail the issue but note that the vendor was contacted early for disclosure without any response, implying no official patches or mitigations are available at this time. Security practitioners should isolate or decommission affected instances where possible.

EU & UK References

Vulnerability details

A vulnerability was found in Acrel Environmental Monitoring Cloud Platform 1.1.0. This issue affects some unknown processing. Performing a manipulation results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used.…

more

The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload on public-facing web platform enables remote exploitation (T1190) and direct web shell deployment for execution/persistence (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13144Shared CWE-284, CWE-434
CVE-2025-8255Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2025-7413Shared CWE-284, CWE-434
CVE-2025-0341Shared CWE-284, CWE-434
CVE-2026-3748Shared CWE-284, CWE-434
CVE-2026-2666Shared CWE-284, CWE-434
CVE-2026-2979Shared CWE-284, CWE-434
CVE-2026-3800Shared CWE-284, CWE-434
CVE-2025-1355Shared CWE-284, CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates file upload inputs to block unrestricted uploads of dangerous types, directly addressing CWE-434 and CWE-284.

prevent

Enforces access controls to prevent unauthenticated remote manipulation leading to unrestricted file uploads.

prevent

Restricts types and amounts of information inputs to systems, mitigating unrestricted file upload capabilities.

References