Auth bypass in Trane Tracer Concierge

CVE-2026-28254

A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.

Vulnerability class: Broken Access Control

EPSS: 0.000 (13.9th percentile) — read the EPSS interpretation.