How is CVE-2026-36176 exploited?

Network reachability (not-required): Physical proximity to the device is required; the attacker must have hands-on access to the serial UART interface rather than reaching it over any network path. Authentication (required): A low-privilege account on the device is sufficient; no administrative or elevated credentials are needed beyond basic access. Victim interaction (not-required): No action from any other user or victim is needed; the attacker can monitor the serial console independently. Attack complexity (info): The exploit is reliable and condition-free; extracting plaintext tokens from the UART output requires no special timing, memory layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-36176?

Attacker reads active pre-signed Backblaze B2 PUT URLs directly from the serial console output, gaining valid credentials for unauthorized storage operations. Attacker uses extracted tokens to upload arbitrary data to the associated Backblaze B2 bucket, potentially overwriting or corrupting stored objects. Confidentiality of any data referenced by the pre-signed URLs is compromised for the lifetime of each active token.

Back to search

HIGHCVE-2026-36176Published 2026-06-04Modified 2026-06-04CNA mitre

CVE-2026-36176: GNCC GP5 v7

GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console. This allows physically-proximate attackers to extract these active tokens to perform unauthorized operations via monitoring the serial UART interface.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An information disclosure vulnerability exists in GNCC GP5 v7.1.76 where pre-signed Backblaze B2 upload URLs are written in plaintext to the serial console (UART interface). An attacker with physical access to the device and a low-privilege account can read these active tokens directly from the serial output without any interaction from a victim. Successful exploitation lets an attacker use the extracted pre-signed URLs to perform unauthorized upload operations against the associated Backblaze B2 storage bucket, exposing and potentially corrupting stored data. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-36176 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images derived from GNCC GP5 v7.1.76 firmware layers.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the published CVSS v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to prioritize or escalate findings and route them to the appropriate team inbox within each customer organization.

Available

Patch

No fix version has been published for this CVE. HarborGuard re-checks the upstream advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer publishes a fix.

Pending upstream

Exploit Conditions

Network reachabilityNot required
Physical proximity to the device is required; the attacker must have hands-on access to the serial UART interface rather than reaching it over any network path.
AuthenticationRequired
A low-privilege account on the device is sufficient; no administrative or elevated credentials are needed beyond basic access.
Victim interactionNot required
No action from any other user or victim is needed; the attacker can monitor the serial console independently.
Attack complexityDetail
The exploit is reliable and condition-free; extracting plaintext tokens from the UART output requires no special timing, memory layout knowledge, or environmental prerequisites.

Blast Radius

Attacker reads active pre-signed Backblaze B2 PUT URLs directly from the serial console output, gaining valid credentials for unauthorized storage operations.
Attacker uses extracted tokens to upload arbitrary data to the associated Backblaze B2 bucket, potentially overwriting or corrupting stored objects.
Confidentiality of any data referenced by the pre-signed URLs is compromised for the lifetime of each active token.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against all customer images containing affected GNCC GP5 v7.1.76 components within minutes of advisory ingestion. Because no upstream fix exists yet, HarborGuard monitors the advisory each ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is published. In the interim, compensating controls worth considering include network-policy isolation of any management interfaces that relay serial output, restricting UART access to authorized personnel only, and reviewing Backblaze B2 bucket policies to limit the blast radius of any token that is already exposed. Customers can also configure HarborGuard compliance policies to flag images carrying this CVE as non-compliant until a fix is available, surfacing the risk to the appropriate team inbox without waiting for a patch.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References

Metrics

Get notified