PatchSiren cyber security CVE debrief
CVE-2026-6807 Raw CVE debrief
CVE-2026-6807 is a medium-severity information exposure issue affecting NSA GRASSMARLIN v3.2.1. According to CISA’s advisory, crafted session data can trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The advisory also states that GRASSMARLIN has reached end-of-life status and is no longer supported, so no patch or further update is expected.
- Vendor
- Raw
- Product
- NSA GRASSMARLIN vers:all/*
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-28
- Original CVE updated
- 2026-04-28
- Advisory published
- 2026-04-28
- Advisory updated
- 2026-04-28
Who should care
Organizations still operating NSA GRASSMARLIN, especially defenders responsible for industrial control system visibility, segmentation, or incident response deployments. This is most relevant where GRASSMARLIN handles sensitive session data or is accessible to users with local, low-privilege access.
Technical summary
CISA describes the flaw as insufficient hardening in the XML parsing process in GRASSMARLIN v3.2.1. The CVSS vector provided in the advisory is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local attack conditions, low privileges, no user interaction, and high confidentiality impact. The primary risk is exposure of sensitive information rather than direct integrity or availability impact.
Defensive priority
Moderate-to-high. The issue is not network-reachable per the supplied CVSS vector, but the product is end-of-life and no vendor fix is planned, so remediation depends on compensating controls and migration.
Recommended defensive actions
- Inventory any remaining NSA GRASSMARLIN deployments and confirm whether version 3.2.1 or the affected archived project is in use.
- Treat the issue as unpatchable: plan migration away from GRASSMARLIN because the project is archived and no further updates are expected.
- Restrict local access to affected systems and limit which users can submit or influence session data.
- Review data exposure paths around XML parsing and session storage for sensitive information that could be disclosed if parsing is mishandled.
- Monitor for abnormal local access or unexpected access to session-related files and logs associated with GRASSMARLIN.
- Apply least-privilege and segmentation controls around any system that still runs the software.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory for ICSA-26-118-01 / CVE-2026-6807 and its published CVSS vector. The advisory text states that crafted session data may trigger improper XML input handling and result in unintended exposure of sensitive information, and that GRASSMARLIN is end-of-life with no patches planned.
Official resources
-
CVE-2026-6807 CVE record
CVE.org
-
CVE-2026-6807 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE record on 2026-04-28. The supplied advisory notes that the GRASSMARLIN project reached end-of-life in 2017 and is archived, with no patches or further updates planned.