CVE-2026-54554

Discovered by AISLEPUBLISHEDCWE-200

Description

The adInfo() method in FOGProject returns the Active Directory default join password in plaintext within JSON responses. The endpoint lacks authorization checks and is reachable through unauthenticated request paths via the node=ipxe parameter, allowing attackers to retrieve stored Active Directory credentials without authentication. The affected logic lives in packages/web/lib/fog/fogpage.class.php, with related handling in packages/web/management/index.php and packages/web/lib/fog/fogpagemanager.class.php.

CVSS Base Scores

CVSS v3.1(Primary)
7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersionStatus
FOGProjectFOGcurrent
FOGProjectfogprojectcurrent

Credits

  • Pavel Kohout from Aisle Research(reporter)

Solutions

Update to the patched code on the dev-branch and working-1.6 current branches, which add authorization checks and stop returning the Active Directory default join password in plaintext.

References