Auth bypass in Mycomplianceoffice Mco
CVE-2026-53905
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without…
Vulnerability class: Broken Access Control
Affected products
- Mycomplianceoffice Mco — versions 25.3.3.1
Weakness classification (CWE)
References
- cvd@cert.pl (third-party-advisory)
- cvd@cert.pl (product)