Back to overview

CVE-2026-53908

MEDIUM
6.9
CVSS 4.0
Description
MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

Metadata

CVE ID
CVE-2026-53908
State
PUBLISHED
Assigner
CERT-PL
Reserved
2026-06-11 07:44 UTC
Published
2026-07-01 11:59 UTC
Last updated
2026-07-01 13:38 UTC
Primary CWE
CWE-204
CWE-204 Observable Response Discrepancy
Vendor / Product
MyComplianceOffice / MCO
Sources
cve.org  ·  NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
MyComplianceOffice MCO 25.3.3.1
Weakness (CWE)
CWESourceDescription
CWE-204 cna CWE-204 Observable Response Discrepancy
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Back to overview