CVE-2026-4761
Published: 25 March 2026
Summary
CVE-2026-4761 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Codra Panorama Collaborative Operation \& Execution. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the permissions vulnerability by requiring timely application of the update PS-2500-00-0357 that fixes improper private key access grants to the operator group.
Enforces least privilege to prevent the operator group from gaining unnecessary access to sensitive private keys installed in the Windows certificate store.
Mandates protection of private keys as authenticators from unauthorized disclosure, directly countering the excessive permissions granted to the operator group.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability grants operator group unauthorized access to private keys in Windows certificate store (CWE-732), directly enabling exfiltration of private keys for authentication/encryption per T1552.004.
NVD Description
When a certificate and its private key are installed in the Windows machine certificate store using Network and Security tool, access rights to the private key are unnecessarily granted to the operator group. * Installations based on Panorama Suite 2025…
more
(25.00.004) are vulnerable unless update PS-2500-00-0357 (or higher) is installed * Installations based on Panorama Suite 2025 Updated Dec. 25 (25.10.007) are not vulnerable Please refer to security bulletin BS-036, available on the Panorama CSIRT website: https://my.codra.net/en-gb/csirt.
Deeper analysisAI
CVE-2026-4761 is a permissions vulnerability (CWE-732) in the handling of certificates and private keys installed via the Network and Security tool into the Windows machine certificate store. It affects installations based on Panorama Suite 2025 (version 25.00.004), where access rights to the private key are unnecessarily granted to the operator group. Systems with the update PS-2500-00-0357 or higher installed are not vulnerable, and installations based on Panorama Suite 2025 Updated Dec. 25 (version 25.10.007) are unaffected. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-25.
The vulnerability can be exploited by any authenticated member of the operator group on an affected system, potentially allowing unauthorized access to sensitive private keys over the network with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations, such as exfiltrating private keys used for authentication or encryption, without affecting integrity or availability.
Security bulletin BS-036, available on the Panorama CSIRT website at https://my.codra.net/en-gb/csirt, provides detailed mitigation guidance. Panorama recommends applying update PS-2500-00-0357 or higher to vulnerable Panorama Suite 2025 (25.00.004) installations. Additional details are in the referenced PDF at https://my.codra.net/api/csirt/download?resourceId=1469&fileType=FichierPDF.
Details
- CWE(s)