PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33552 Northern.tech CVE debrief

CVE-2026-33552 is an incorrect access control vulnerability affecting Northern.tech Mender Enterprise Server versions prior to 4.1.1. The vulnerability was published on 2026-05-27. According to the vendor's advisory, this issue relates to access control weaknesses in the Mender Server platform alongside a related input sanitization vulnerability (CVE-2026-49009). The incorrect access control classification suggests that authenticated or unauthenticated actors may be able to access resources or perform actions beyond their intended authorization scope. Mender Enterprise Server is an over-the-air (OTA) software update management platform for IoT and embedded devices, making this vulnerability particularly relevant for organizations managing large fleets of connected devices. The vendor has addressed this issue in version 4.1.1. Organizations running affected versions should prioritize upgrading to the patched release to prevent potential unauthorized access to deployment configurations, device management functions, or tenant isolation boundaries.

Vendor
Northern.tech
Product
Mender Enterprise Server
CVSS
LOW 3.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-28
Advisory published
2026-05-27
Advisory updated
2026-05-28

Who should care

Organizations using Mender Enterprise Server for IoT device fleet management, particularly multi-tenant deployments where tenant isolation is critical

Technical summary

Incorrect access control in Mender Enterprise Server < 4.1.1 allows potential authorization bypass. Fixed in 4.1.1. No CVSS assigned.

Defensive priority

high

Recommended defensive actions

  • Upgrade Mender Enterprise Server to version 4.1.1 or later to remediate the incorrect access control vulnerability
  • Review access logs for unauthorized access attempts to Mender Server administrative interfaces or cross-tenant resource access between 2026-05-27 and patch deployment
  • Verify tenant isolation configurations remain intact and audit role-based access control assignments for service accounts
  • Subscribe to Northern.tech security advisories for future Mender Server security updates
  • If immediate patching is not feasible, restrict network access to Mender Server management interfaces to authorized administrative hosts only

Evidence notes

Vulnerability description sourced from NVD record with vendor confirmation via Northern.tech blog post. CVSS score and severity not yet assigned per NVD status 'Received'. Vendor advisory explicitly links CVE-2026-33552 to access control issues in Mender Server.

Official resources

2026-05-27