CVE-2026-48133 PUBLISHED

Identity Awareness Captive Portal - Unauthenticated Local File Inclusion

Assigner: checkpoint
Reserved: 20.05.2026 Published: 26.05.2026 Updated: 26.05.2026

When the Identity Awareness blade is enabled with Browser-Based Authentication, an unauthenticated user may be able to read certain internal files on the Security Gateway.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	checkpoint
Product	Quantum Security Gateway
Versions	Version R82.10 with Jumbo Hotfix Take 6 or below is affected Version R82 with Jumbo Hotfix Take 91 or below is affected Version R81.20 with Jumbo Hotfix Take 127 or below is affected Version All releases from R81.10 and below is affected

References

https://support.checkpoint.com/results/sk/sk184993

Problem Types

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE