Auth bypass in Mycomplianceoffice Mco

CVE-2026-53905

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without…

Vulnerability class: Broken Access Control

Affected products

Weakness classification (CWE)

References