(This blog post was updated February 10th, 2026)
We are writing to inform you of multiple recently discovered security issues in the CFEngine policy and Mission Portal. These issues have been fixed in the recently released 3.27.0, 3.24.3 and 3.21.8 versions. Prior versions (3.24.2, 3.21.7, and below) are affected. We have no indications of these issues being exploited or known outside of the company and the security researchers that reported them.
Eight different issues were discovered by the following security researchers:
- CVE-2026-24710 - Injection in mission portal:
- Tahsin Akbar Ohi (royal_coder) discovered 3 issues
- i-forgot-it (i-forgot-it) discovered 1 issue
- CVE-2026-24711 - Broken Access Control in Mission Portal:
- Tahmid Akbar Omim (imperial_coder) discovered 3 issues
- CVE-2026-24712 - Injection in CFEngine Policy Language:
- Dipesh Thakur (bughunter0xff) discovered 1 issue
through our HackerOne bug bounty program.
Description
The following types of vulnerabilities have been discovered on the affected versions:
- OS command injection in CFEngine policy language
- SQL injection in Mission Portal
- Cross site scripting (XSS) in Mission Portal
- OS command injection in Mission Portal
- Broken access control in Mission Portal
- Local file inclusion (LFI) in Mission Portal
Impact
These vulnerabilities enable running commands, escalating privileges, and bypassing access control. To exploit the vulnerabilities, an attacker would need some level of initial access i.e. a low privilege Mission Portal user, or access to edit policy files or the data used by policy.
Remediation
To remediate the issue, please upgrade to CFEngine 3.27.0, 3.24.3, 3.21.8, or later versions. We recommend upgrading as soon as possible. Not just to fix this specific issue, but also to benefit from the other bugfixes and security improvements we put into every new release.
Contact
For help with upgrading or additional questions, please contact support at:
