CVE-2026-33390 PUBLISHED

Incorrect privilege assignment for Arc sensors in Guardian/CMC before 26.2.0

Assigner: Nozomi
Reserved: 19.03.2026 Published: 09.07.2026 Updated: 09.07.2026

An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions. An authenticated user with limited privileges can push administrative CLI commands through the sync, altering the device configuration, and/or affecting its availability.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.2

Product Status

Vendor Nozomi Networks
Product Guardian
Versions Default: unaffected
  • affected from 0 to 26.2.0 (excl.)
Vendor Nozomi Networks
Product CMC
Versions Default: unaffected
  • affected from 0 to 26.2.0 (excl.)

Workarounds

Review all enabled sensors and disallow or delete untrusted ones.

Solutions

Upgrade to v26.2.0 or later.

Credits

  • This issue was found by Andrea Palanca of Nozomi Networks Product Security team during an internal investigation. finder

References

Problem Types

  • CWE-266 Incorrect privilege assignment CWE

Impacts

  • CAPEC-122 Privilege Abuse