PatchSiren cyber security CVE debrief
CVE-2026-24711 Northern.tech CVE debrief
Northern.tech CFEngine Enterprise contains an incorrect access control vulnerability (CWE-284) affecting multiple versions prior to 3.21.8, 3.24.3, and 3.27.0. The vulnerability, published on 2026-05-14 and last modified on 2026-05-19, has a CVSS 3.1 score of 5.3 (Medium severity) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network-based attack vector with low attack complexity, no privileges required, no user interaction, and low confidentiality impact. The affected versions include all Enterprise editions before 3.21.8, versions 3.24.0 through 3.24.2, and version 3.26.0. Northern.tech has released patched versions and provided vendor advisory guidance.
- Vendor
- Northern.tech
- Product
- CFEngine Enterprise
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-19
Who should care
Organizations using CFEngine Enterprise for configuration management, particularly those running affected versions in production environments. Security teams responsible for infrastructure automation platforms and compliance officers tracking configuration management tool security should prioritize patching.
Technical summary
Incorrect access control in CFEngine Enterprise allows unauthorized network-based access with low confidentiality impact. The vulnerability stems from improper implementation of access controls in the Enterprise edition of the configuration management platform. Attack complexity is low with no authentication required, making this accessible to unauthenticated network attackers. The confidentiality impact is rated low, with no integrity or availability impact per CVSS scoring.
Defensive priority
medium
Recommended defensive actions
- Upgrade CFEngine Enterprise to version 3.21.8, 3.24.3, or 3.27.0 or later as appropriate for your release track
- Review vendor security advisory for additional configuration guidance
- Verify access control policies on CFEngine Enterprise deployments
- Monitor for unauthorized access attempts in CFEngine audit logs
Evidence notes
Vulnerability data sourced from NVD with official vendor advisory from Northern.tech. CPE criteria confirm affected version ranges. CVSS vector and CWE classification provided by NVD analysis.
Official resources
-
CVE-2026-24711 CVE record
CVE.org
-
CVE-2026-24711 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
[email protected] - Product
2026-05-14