PatchSiren cyber security CVE debrief
CVE-2026-26289 Raw CVE debrief
CVE-2026-26289 is an authorization issue in Subnet Solutions PowerSYSTEM Center's REST API device account export path. According to CISA, an authenticated user with limited permissions can expose sensitive information that should be restricted to administrative access. CISA published the advisory on 2026-05-12 and rates the issue High (CVSS 8.2) in the supplied record.
- Vendor
- Raw
- Product
- Subnet Solutions Inc. PowerSYSTEM Center 2020 <=5.28.x >=5.8.x|<=5.28.x >=5.11.x|<=5.28.x PowerSYSTEM Center 2024 >=6.0.x|<=6.1.x PowerSYSTEM Center 2026 7.0.x
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-12
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-12
Who should care
Organizations running PowerSYSTEM Center 2020, 2024, or 2026 should pay attention, especially OT/ICS administrators, security teams, and operators who delegate limited user access to the application or its REST API features.
Technical summary
The advisory states that a PowerSYSTEM Center REST API endpoint for device account export can be used by an authenticated user with limited permissions to access sensitive information normally restricted to administrators. The supplied advisory data lists affected product lines across PowerSYSTEM Center 2020, 2024, and 2026, and points to vendor fixes in PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.
Defensive priority
High. This is a sensitive information disclosure issue in an industrial-control management product, and the access boundary involved is administrative versus limited-user permissions. Prioritize patching and review any accounts or workflows that can reach export-related API functions.
Recommended defensive actions
- Update to the vendor-recommended fixed versions: PSC 2020 Update 29, PSC 2024 Update 2, or PSC 2026 GA Hotfix, as applicable to your deployment.
- Review which users and service accounts can access export-related REST API functionality and remove unnecessary privileges where possible.
- Monitor user activity records for unusual or bulk account export activity, and configure a notification rule to alert on bulk export events.
- Follow the vendor's additional hardening guidance where applicable, including restricting access to Notification Settings to trusted administrators and monitoring 'Send from Address' and Activity Records.
Evidence notes
All technical claims here are drawn from the supplied CISA CSAF advisory ICSA-26-132-02 and its referenced CVE record. The advisory text specifically says the REST API device account export endpoint can expose sensitive information to an authenticated user with limited permissions. The supplied record also includes SSVCv2/E:N/A:N/2026-05-11T06:00:00.000000Z and lists the vendor remediation versions. No KEV entry or ransomware linkage is present in the supplied corpus.
Official resources
-
CVE-2026-26289 CVE record
CVE.org
-
CVE-2026-26289 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-26-132-02 on 2026-05-12. The supplied advisory revision history shows an initial publication with no later revisions in the corpus provided.