CVE-2026-31983 PUBLISHED

Missing authentication in SSH keys synchronization endpoint in Guardian/CMC before 26.2.0

Assigner: Nozomi
Reserved: 10.03.2026 Published: 09.07.2026 Updated: 09.07.2026

A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint. An unauthenticated attacker can send a request to the SSH keys synchronization endpoint and obtain the list of users that have uploaded their public SSH keys, their groups, and the uploaded public SSH keys.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor Nozomi Networks
Product Guardian
Versions Default: unaffected
  • affected from 0 to 26.2.0 (excl.)
Vendor Nozomi Networks
Product CMC
Versions Default: unaffected
  • affected from 0 to 26.2.0 (excl.)

Workarounds

Use internal firewall features to limit access to the web management interface.

Solutions

Upgrade to v26.2.0 or later.

Credits

  • This issue was found by Andrea Palanca of Nozomi Networks Product Security team during an internal investigation. finder

References

Problem Types

  • CWE-306 Missing authentication for critical function CWE

Impacts

  • CAPEC-115 Authentication Bypass