CVE-2026-54554
Discovered by AISLEPUBLISHEDCWE-200
Description
The adInfo() method in FOGProject returns the Active Directory default join password in plaintext within JSON responses. The endpoint lacks authorization checks and is reachable through unauthenticated request paths via the node=ipxe parameter, allowing attackers to retrieve stored Active Directory credentials without authentication. The affected logic lives in packages/web/lib/fog/fogpage.class.php, with related handling in packages/web/management/index.php and packages/web/lib/fog/fogpagemanager.class.php.
CVSS Base Scores
CVSS v3.1(Primary)
7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| FOGProject | FOG | current | — |
| FOGProject | fogproject | current | — |
Credits
- Pavel Kohout from Aisle Research(reporter)
Solutions
Update to the patched code on the dev-branch and working-1.6 current branches, which add authorization checks and stop returning the Active Directory default join password in plaintext.