What is CVE-2026-7292?

CVE-2026-7292 is a medium-severity vulnerability in O2oa, classified under Incorrect Privilege Assignment. CVSS score: 5.6/10. Published 2026-04-28.

How severe is CVE-2026-7292?

Medium severity. CVSS v3 base score is 5.6 out of 10.

Auth bypass in O2oa

CVE-2026-7292

A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely…

EPSS: 0.001 (18.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.6 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

N/a O2oa — versions 10.0

Weakness classification (CWE)

References

VDB-359952 | o2oa NodeAgent NodeAgent.java syncFile improper authorization (technical-description, vdb-entry)
VDB-359952 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
Submit #803074 | o2oa https://github.com/o2oa/o2oa 10.0 Code Execution (third-party-advisory)
cna@vuldb.com (issue-tracking, exploit)
cna@vuldb.com (product)

Frequently asked questions

What is CVE-2026-7292?: CVE-2026-7292 is a medium-severity vulnerability in O2oa, classified under Incorrect Privilege Assignment. CVSS score: 5.6/10. Published 2026-04-28.
How severe is CVE-2026-7292?: Medium severity. CVSS v3 base score is 5.6 out of 10.