{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28264", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-02-25T18:04:25.462Z", "datePublished": "2026-04-08T11:24:25.496Z", "dateUpdated": "2026-04-08T14:16:22.270Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-08T12:25:08.381Z"}, "datePublic": "2026-04-03T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Agent", "versions": [{"status": "affected", "version": "0", "lessThan": "20.1.0.0 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure."}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-security-update-dell-powerprotect-data-manager-for-multiple-security-vulnerabilities", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:16:09.482882Z", "id": "CVE-2026-28264", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:16:22.270Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28264", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:16:09.482882Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:16:18.733Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Agent", "versions": [{"status": "affected", "version": "0", "lessThan": "20.1.0.0 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-03T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-security-update-dell-powerprotect-data-manager-for-multiple-security-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.", "supportingMedia": [{"type": "text/html", "value": "Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-08T12:25:08.381Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28264", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:16:22.270Z", "dateReserved": "2026-02-25T18:04:25.462Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-04-08T11:24:25.496Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure."}], "id": "CVE-2026-28264", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-04-08T12:16:21.110", "references": [{"source": "security_alert@emc.com", "url": "https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-security-update-dell-powerprotect-data-manager-for-multiple-security-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T12:50:39.047054+00:00", "value": {"mitigation_remediation": ["Apply the Dell PowerProtect Data Manager security update to version 20.1 or later.", "Verify that the update was installed correctly and that the PowerProtect Agent service restarts successfully.", "If patching cannot be performed immediately, restrict local user access to the PowerProtect Agent executable and its related directories to reduce the chance of information exposure.", "Monitor system logs for signs of unauthorized data access after remediation."], "summary": {"action": "Patch", "impact": "Information Exposure"}, "threat_synthesis": {"affected_systems": "Dell PowerProtect Agent Service, versions earlier than 20.1, installed on Dell PowerProtect solutions that include the agent component. Systems that have not yet been upgraded to version 20.1 or later are affected.", "description_and_impact": "The flaw is an incorrect permission assignment that allows a local user with low privileges to access critical resources managed by the Dell PowerProtect Agent Service. This can lead to the exposure of confidential data that the agent processes or stores, representing an information disclosure risk. The weakness corresponds to CWE\u2011732, which describes improper handling of permissions that permits unauthorized access to sensitive resources.", "risk_and_exploitability": "The CVSS base score of 3.3 indicates low severity. The EPSS score is not available, leaving the likelihood of exploitation uncertain. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires local access with a low\u2011privileged account, the threat is limited to systems that can be accessed physically or remotely with low\u2011privileged credentials. The overall risk is low to moderate, and remediation by patching is strongly recommended."}}}}, "created": "2026-04-08T19:39:45.499733+00:00", "title": "Information Exposure via Improper Permission Assignment in Dell PowerProtect Agent Service", "updated": "2026-04-08T19:39:45.499765+00:00", "vendors": []}