Introducing AI agent: Get information about your infrastructure faster. Learn more >
<The CFEngine Blog

CVE-2026-33553 - Cross-site scripting in Mission Portal

Posted by Ole Herman Elgesem
June 1, 2026

We are writing to inform you of a recently discovered issue in CFEngine Enterprise. This issue was responsibly disclosed through our HackerOne Bug Bounty program, discovered during the re-testing / follow-ups from some of the issues we announced earlier this year;

https://cfengine.com/blog/2026/cve-2026-24710-and-cve-2026-24711-and-cve-2026-24712/

We have no indications of this issue being exploited or known outside of the company and the user who reported it. Thank you to Tahmid Akbar Omim for discovering and responsibly disclosing this issue.

In order to exploit this vulnerability, someone would need access to a low privilege Mission Portal account, and interaction from the victim (admin) is also required (they need to click a link or similar).

Description

Mission Portal is susceptible to cross-site scripting (XSS), due to a mistake in the content-type HTTP header, returned by some of the API endpoints. This header is used by browsers to determine what to do with the returned content, for example whether to just treat it as data and show it, or to render it as a web page and run the included JavaScript, etc. The latter is problematic, since in this case, some of the data could be controlled by another lower-privilege user.

Impact

An authenticated low-privilege Mission Portal user could put malicious JavaScript code into certain fields in Mission Portal, and get an admin to open a page which would cause the code to run using their access allowing them to escalate their own privileges. They would need to send the admin a specific link (API URL) and have the admin click that link to trigger the issue, it does not normally happen through navigating the UI. If they gain admin access, they would have access to take over the hub and the infrastructure under management from that hub.

Remediation

CFEngine Enterprise 3.24.3, 3.27.0, and earlier versions are affected. We recommend upgrading to 3.24.4, 3.27.1, or later versions to fix the issue. For more information on how to upgrade, please see our documentation:

https://docs.cfengine.com/docs/lts/getting-started/01-installation/upgrading

Contact

For help with upgrading or additional questions, please contact support at:

https://support.northern.tech

Try CFEngine Enterprise for free

Sign up for CFEngine Enterprise and connect up to 25 hosts for free. No credit card required. Get started in minutes.

Try enterprise for free