CVE-2026-40543 SOPlanning CVE debrief

Who should care

Organizations running SOPlanning instances version 1.55 or below, particularly those with externally accessible deployments or containing sensitive project planning data.

Technical summary

The vulnerability exists in SOPlanning ≤1.55 where backup endpoints lack authorization enforcement. An unauthenticated attacker can directly query these endpoints to obtain backup archives. The archives contain the user database (including usernames and password hashes) and config.csv with additional sensitive configuration data. This represents a missing authorization weakness (CWE-862) with high confidentiality impact.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade SOPlanning to a version newer than 1.55 when available, or apply vendor-provided patches
• Restrict network access to SOPlanning backup endpoints using firewall rules or reverse proxy authentication
• Monitor access logs for unauthorized requests to backup-related URL paths
• Rotate all user credentials and application secrets if compromise of backup archives is suspected
• Review and strengthen authorization controls on all administrative and data-export functionality

Evidence notes

CVE description confirms unauthenticated access to backup endpoints. CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N. CERT.PL advisory reference provides additional source attribution. Vendor identified as SOPlanning via reference domain candidate.

Official resources