CVE-2026-26289: PowerSYSTEM Center REST API Exposes Admin Data
The National Vulnerability Database has disclosed CVE-2026-26289, a high-severity vulnerability (CVSS 8.2) impacting the PowerSYSTEM Center REST API. This flaw allows an authenticated user, even with limited permissions, to export sensitive device account information that should be restricted to administrative access only. The vulnerability is categorized under CWE-863 (Incorrect Authorization).
This isn’t just an information leak; it’s a critical authorization bypass. Attackers who gain a foothold with low-privileged credentials can escalate their data access significantly, potentially mapping out entire networks or identifying high-value targets. The fact that this is an API endpoint makes it ripe for automated exploitation once an initial compromise is achieved.
Defenders must recognize that any system exposing an API with such a flaw presents a direct path to sensitive data. The attacker’s calculus here is simple: find a low-privilege account, exploit the API, and dump all the device details they need for deeper penetration. This is a foundational authorization failure, not a subtle bug.
What This Means For You
- If your organization uses PowerSYSTEM Center, you need to identify all instances exposing the REST API. Immediately audit user permissions and monitor API access logs for any unusual activity, especially exports by non-administrative accounts. Prioritize patching this vulnerability as soon as a fix is available to prevent unauthorized sensitive data exposure.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-26289: PowerSYSTEM Center Device Account Export via REST API
title: CVE-2026-26289: PowerSYSTEM Center Device Account Export via REST API
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects the specific REST API endpoint '/api/v1/devices/export/accounts' being accessed via GET request, which is the vulnerable endpoint in PowerSYSTEM Center for exporting device account data. This rule aims to identify potential exploitation of CVE-2026-26289.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-26289/
tags:
- attack.credential_access
- attack.t1040
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/devices/export/accounts'
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-26289 | Information Disclosure | PowerSYSTEM Center REST API endpoint for device account export |
| CVE-2026-26289 | Auth Bypass | authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108
CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
MonsterInsights WordPress Plugin Exposes Google OAuth Tokens
CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion
CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...