CVE-2026-8100
Published: 18 June 2026
Summary
CVE-2026-8100 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Progress (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-37955
Vulnerability details
Impact A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated…
more
request may bypass standard access controls gaining additional privileges, potentially allowing access to API endpoints that are intended to be restricted to higher-permissioned roles. The impact is limited to environments where the affected request patterns can be triggered and depends on specific deployment configuration and access controls in place. Resolution The issue has been addressed through product updates that improve request validation and enforce strict path normalization before authorization checks. Customers are advised to update to the latest available version containing the fix, version 1.7.1 or later.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal (CWE-23) in public Chef 360 API enables auth bypass and privilege escalation to restricted endpoints.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.