CVE-2026-8100

CVE-2026-8100 PUBLISHED

Assigner: ProgressSoftware
Reserved: 07.05.2026 Published: 18.06.2026 Updated: 18.06.2026

Impact

A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated request may bypass standard access controls gaining additional privileges, potentially allowing access to API endpoints that are intended to be restricted to higher-permissioned roles. The impact is limited to environments where the affected request patterns can be triggered and depends on specific deployment configuration and access controls in place. Resolution The issue has been addressed through product updates that improve request validation and enforce strict path normalization before authorization checks. Customers are advised to update to the latest available version containing the fix, version 1.7.1 or later.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/RE:M
CVSS Score: 8.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Progress Chef
Product	Chef360
Versions	Default: unaffected affected from 0 to 1.7.1 (excl.)

Vendor

Progress Chef

Product

Chef360

Versions

Default: unaffected

affected from 0 to 1.7.1 (excl.)

References

Problem Types

CWE-23 Relative path traversal CWE

Impacts

CAPEC-179 Calling Micro-Services Directly