CVE-2026-24710 Northern.tech CVE debrief

Who should care

Organizations using CFEngine Enterprise for infrastructure configuration management, particularly those with web-exposed management interfaces or multi-user environments where authenticated users may view shared reports or dashboards.

Technical summary

CFEngine Enterprise, a configuration management platform by Northern.tech, contains a reflected or stored XSS vulnerability in its web interface components. The vulnerability stems from improper neutralization of user-supplied input during web page generation (CWE-79). Affected versions include all releases prior to 3.21.8, the 3.24.x branch before 3.24.3, and version 3.26.0. The vendor has released patched versions and published a security advisory addressing this and two related CVEs.

Defensive priority

medium

Recommended defensive actions

• Upgrade CFEngine Enterprise to version 3.21.8, 3.24.3, or 3.27.0 or later.
• Review vendor security advisory for additional mitigation guidance.
• Implement Content Security Policy (CSP) headers to mitigate XSS impact.
• Validate and sanitize all user inputs in web-facing CFEngine components.
• Monitor for suspicious script injection attempts in CFEngine web interfaces.

Evidence notes

CVE published 2026-05-14; modified 2026-05-19. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. CPE configurations indicate affected versions: all versions before 3.21.8, versions 3.24.0 through 3.24.2, and version 3.26.0. Vendor advisory published at cfengine.com blog.

Official resources