CVE-2026-23781
published 2026-04-10CVE-2026-23781: An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.28%
20.1th percentile
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | control-m_managed_file_transfer | 9.0.20 – 9.0.22 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
BMC Control-M MFT up to 9.0.22 API Debug Interface missing encryption
vuldb·2026-04-10
CVE-2026-23781 [LOW] BMC Control-M MFT up to 9.0.22 API Debug Interface missing encryption
A vulnerability has been found in BMC Control-M MFT up to 9.0.22 and classified as problematic. Affected by this issue is some unknown functionality of the component API Debug Interface. This manipulation causes missing encryption of sensitive data.
This vulnerability appears as CVE-2026-23781. The attacker needs to be present on the local network. There is no available exploit.
GHSA
GHSA-76mr-v53w-7h6c: An issue was discovered in BMC Control-M/MFT 9
ghsa_unreviewed·2026-04-10
CVE-2026-23781 GHSA-76mr-v53w-7h6c: An issue was discovered in BMC Control-M/MFT 9
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.
Red Hat
litellm: BerriAI litellm: Improper authorization vulnerability in Admin Key Handler
vendor_redhat·2026-06-21·CVSS 8.8
CVE-2026-12770 [HIGH] CWE-266 litellm: BerriAI litellm: Improper authorization vulnerability in Admin Key Handler
litellm: BerriAI litellm: Improper authorization vulnerability in Admin Key Handler
A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 23781. It is recommended to apply a patch to fix this issue. The vendor was contacted early about this disclosure.
A flaw was found in BerriAI litellm. A remote attacker could exploit an improper authorization vulnerability within the Admin Key Handler component. This could allow the attacker to perform unauthorized actions, leading
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-10
Published