| Advisory ID | NN-2026:10-01 |
|---|---|
| Topic | Missing authentication in SSH keys synchronization endpoint in Guardian/CMC before 26.2.0 |
| CWE Impact | CWE-306: Missing Authentication for Critical Function |
| Issue date | 2026-07-07 |
| Affects | Guardian, CMC < v26.2.0 |
| CVE Name(s) | CVE-2026-31983 |
| CVSS Details | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CVSS Score | 6.9 (CVSS v4.0) 5.3 (CVSS v3.1) |
| CVE Risk Level | Medium (CVSS v4.0) Medium (CVSS v3.1) |
| Risk Level for Nozomi customers | Medium |
A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint.
An unauthenticated attacker can send a request to the SSH keys synchronization endpoint and obtain the list of users that have uploaded their public SSH keys, their groups, and the uploaded public SSH keys.
Guardian, CMC < v26.2.0
Use internal firewall features to limit access to the web management interface.
Upgrade to v26.2.0 or later.
We thank the following parties for their efforts: