CVE-2026-47688
Discovered by AISLEPUBLISHEDCWE-862
Description
The clearAES and clearPMTasks methods in FOGPage can be invoked by an unauthenticated attacker via a single HTTP GET request through the public client node endpoint. This allows remote wiping of host AES encryption credentials and deletion of all power management scheduled tasks, with no login, session, or CSRF token required. Host and group IDs are sequential integers, so an attacker can enumerate and wipe all targets. Affects any FOG deployment where the management web interface is reachable by untrusted clients.
CVSS Base Scores
CVSS v3.1(Primary)
8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| FOGProject | FOG | < 1.5.10.1832 | — |
| FOGProject | FOG | < 1.6.0-beta.2313 | — |
| FOGProject | fogproject | < 1.5.10.1832 | — |
| FOGProject | fogproject | < 1.6.0-beta.2313 | — |
Credits
- pavelkohout396(reporter)
Solutions
Upgrade to FOG >= 1.5.10.1832 (stable) or >= 1.6.0-beta.2313 (beta).