Auth bypass in Mycomplianceoffice Mco
CVE-2026-53902
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privil…
Affected products
- Mycomplianceoffice Mco — versions 25.3.3.1
Weakness classification (CWE)
References
- cvd@cert.pl (third-party-advisory)
- cvd@cert.pl (product)