We are writing to inform you of multiple recently discovered security issues in the CFEngine policy and Mission Portal. These issues have been fixed in the recently released 3.27.0, 3.24.3 and 3.21.8 versions. Prior versions (3.24.2, 3.21.7, and below) are affected. We have no indications of these issues being exploited or known outside of the company and the security researchers that reported them.
These issues were discovered by the following security researchers:
- CVE-2026-24710:
- Tahsin Akbar Ohi(royal_coder)
- i-forgot-it (i-forgot-it)
- CVE-2026-24711:
- Tahmid Akbar Omim(imperial_coder)
- CVE-2026-24712:
- Dipesh Thakur (bughunter0xff)
through our HackerOne bug bounty program.
Description
The following types of vulnerabilities have been discovered on the affected versions:
- OS command injection in CFEngine policy language
- SQL injection in Mission Portal
- Cross site scripting (XSS) in Mission Portal
- OS command injection in Mission Portal
- Broken access control in Mission Portal
- Local file inclusion (LFI) in Mission Portal
Impact
These vulnerabilities enable running commands, escalating privileges, and bypassing access control. To exploit the vulnerabilities, an attacker would need some level of initial access i.e. a low privilege Mission Portal user, or access to edit policy files or the data used by policy.
Remediation
To remediate the issue, please upgrade to CFEngine 3.27.0, 3.24.3, 3.21.8, or later versions. We recommend upgrading as soon as possible. Not just to fix this specific issue, but also to benefit from the other bugfixes and security improvements we put into every new release.
Contact
For help with upgrading or additional questions, please contact support at:
