NN-2026:13-01

Incorrect privilege assignment for Arc sensors in Guardian/CMC before 26.2.0

Last update: 2026-07-07

Advisory IDNN-2026:13-01
TopicIncorrect privilege assignment for Arc sensors in Guardian/CMC before 26.2.0
CWE ImpactCWE-266: Incorrect Privilege Assignment
Issue date2026-07-07
AffectsGuardian, CMC < v26.2.0
CVE Name(s)CVE-2026-33390
CVSS DetailsCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS Score7.2 (CVSS v4.0)
8.1 (CVSS v3.1)
CVE Risk LevelHigh (CVSS v4.0)
High (CVSS v3.1)
Risk Level for Nozomi customersHigh

Summary

An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions.

Impact

An authenticated user with limited privileges can push administrative CLI commands through the sync, altering the device configuration, and/or affecting its availability.

Affected Products

Guardian, CMC < v26.2.0

Workarounds and Mitigations

Review all enabled sensors and disallow or delete untrusted ones.

Solutions

Upgrade to v26.2.0 or later.

Modification History

2026-07-07: Initial revision

Related Links

Acknowledgements

We thank the following parties for their efforts:

  • Andrea Palanca of Nozomi Networks Product Security team for finding this issue during an internal investigation

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.