PatchSiren cyber security CVE debrief
CVE-2026-57920 Peplink CVE debrief
CVE-2026-57920 is a high-severity vulnerability in Peplink InControl 2, allowing attackers to bypass access-control rules using a semicolon in certain /rest/o/{orgId} endpoints. The vulnerability has a CVSS score of 7.7 and is considered HIGH severity. It was published on June 26, 2026, and last modified on July 2, 2026. The vulnerability affects Peplink InControl 2 versions up to 2.14.2. There is limited information available about the vulnerability, and defenders should exercise caution when assessing and mitigating this vulnerability.
- Vendor
- Peplink
- Product
- InControl 2
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-07-02
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-07-02
Who should care
Organizations using Peplink InControl 2 should prioritize patching this vulnerability to prevent potential attacks. Defenders should review their inventory of Peplink InControl 2 instances and ensure they are running a version patched for this vulnerability. Additionally, defenders should monitor their systems for any suspicious activity related to this vulnerability.
Technical summary
CVE-2026-57920 is a vulnerability in Peplink InControl 2 that allows attackers to bypass access-control rules using a semicolon in certain /rest/o/{orgId} endpoints. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. The vulnerability affects Peplink InControl 2 versions up to 2.14.2. There is limited information available about the vulnerability, and defenders should exercise caution when assessing and mitigating this vulnerability. Defenders should review the CVE and NVD records for more information.
Defensive priority
High
Recommended defensive actions
- Review and apply the patch for Peplink InControl 2 version 2.14.2 or later.
- Monitor systems for suspicious activity related to this vulnerability.
- Review inventory of Peplink InControl 2 instances and ensure they are running a patched version.
Evidence notes
The CVE and NVD records provide limited information about the vulnerability. The CVE record notes that the vulnerability allows attackers to bypass access-control rules using a semicolon in certain /rest/o/{orgId} endpoints. The NVD record provides a CVSS vector and notes that the vulnerability affects Peplink InControl 2 versions up to 2.14.2.
Official resources
-
CVE-2026-57920 CVE record
CVE.org
-
CVE-2026-57920 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
This article was generated with AI assistance based on the supplied source corpus.