CVE-2026-47688

Discovered by AISLEPUBLISHEDCWE-862

Description

The clearAES and clearPMTasks methods in FOGPage can be invoked by an unauthenticated attacker via a single HTTP GET request through the public client node endpoint. This allows remote wiping of host AES encryption credentials and deletion of all power management scheduled tasks, with no login, session, or CSRF token required. Host and group IDs are sequential integers, so an attacker can enumerate and wipe all targets. Affects any FOG deployment where the management web interface is reachable by untrusted clients.

CVSS Base Scores

CVSS v3.1(Primary)
8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Affected Products

VendorProductVersionStatus
FOGProjectFOG< 1.5.10.1832
FOGProjectFOG< 1.6.0-beta.2313
FOGProjectfogproject< 1.5.10.1832
FOGProjectfogproject< 1.6.0-beta.2313

Credits

  • pavelkohout396(reporter)

Solutions

Upgrade to FOG >= 1.5.10.1832 (stable) or >= 1.6.0-beta.2313 (beta).

References