NN-2026:10-01

Missing authentication in SSH keys synchronization endpoint in Guardian/CMC before 26.2.0

Last update: 2026-07-07

Advisory IDNN-2026:10-01
TopicMissing authentication in SSH keys synchronization endpoint in Guardian/CMC before 26.2.0
CWE ImpactCWE-306: Missing Authentication for Critical Function
Issue date2026-07-07
AffectsGuardian, CMC < v26.2.0
CVE Name(s)CVE-2026-31983
CVSS DetailsCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score6.9 (CVSS v4.0)
5.3 (CVSS v3.1)
CVE Risk LevelMedium (CVSS v4.0)
Medium (CVSS v3.1)
Risk Level for Nozomi customersMedium

Summary

A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint.

Impact

An unauthenticated attacker can send a request to the SSH keys synchronization endpoint and obtain the list of users that have uploaded their public SSH keys, their groups, and the uploaded public SSH keys.

Affected Products

Guardian, CMC < v26.2.0

Workarounds and Mitigations

Use internal firewall features to limit access to the web management interface.

Solutions

Upgrade to v26.2.0 or later.

Modification History

2026-07-07: Initial revision

Related Links

Acknowledgements

We thank the following parties for their efforts:

  • Andrea Palanca of Nozomi Networks Product Security team for finding this issue during an internal investigation

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.