How is CVE-2026-40543 exploited?

Network reachability (required): The attacker must reach the SOPlanning service over the network; the vulnerable backup endpoints are exposed via HTTP and require no adjacent-network or physical access constraints. Authentication (not-required): No credentials of any kind are needed; the backup endpoints are accessible without any authentication. Victim interaction (not-required): The attacker queries the backup endpoints directly and no user action or interaction from a victim is required. Attack complexity (info): Exploitation is straightforward and condition-free; the attacker makes a direct HTTP request to a known endpoint path with no race conditions or environmental prerequisites.

What is the impact of CVE-2026-40543?

Reads the full user database backup, exposing plaintext usernames and password hashes for every account in the SOPlanning instance. Retrieves the config.csv file, which exposes application secrets, database connection parameters, and other sensitive configuration values. Cracked or reused password hashes can enable follow-on access to other systems where users share credentials.

Back to search

HIGHCVE-2026-40543Published 2026-06-01Modified 2026-06-01CNA CERT-PL

CVE-2026-40543: Missing Authorization in SOPlanning

SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information. This issue affects SOPlanning version 1.55 and below.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Missing authorization in SOPlanning (versions 1.55 and below) allows an unauthenticated remote attacker to directly access backup-related endpoints without any credentials. By querying these endpoints over the network, an attacker retrieves backup archives containing the user database with usernames and password hashes, along with a config.csv file holding additional sensitive configuration data. Successful exploitation gives the attacker full read access to stored credentials and application secrets. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-40543 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the CERT-PL advisory, covering both registry-hosted and custom-built SOPlanning images. Any image found running SOPlanning 1.55 or below is flagged automatically in the customer's pipeline results.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 8.8 (High) and applies per-environment compliance policy weighting to determine urgency tier and routing. Triage alerts are directed to the inbox or ticketing integration configured for the affected workload's owning team within each customer org.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the CERT-PL advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SOPlanning service over the network; the vulnerable backup endpoints are exposed via HTTP and require no adjacent-network or physical access constraints.
AuthenticationNot required
No credentials of any kind are needed; the backup endpoints are accessible without any authentication.
Victim interactionNot required
The attacker queries the backup endpoints directly and no user action or interaction from a victim is required.
Attack complexityDetail
Exploitation is straightforward and condition-free; the attacker makes a direct HTTP request to a known endpoint path with no race conditions or environmental prerequisites.

Blast Radius

Reads the full user database backup, exposing plaintext usernames and password hashes for every account in the SOPlanning instance.
Retrieves the config.csv file, which exposes application secrets, database connection parameters, and other sensitive configuration values.
Cracked or reused password hashes can enable follow-on access to other systems where users share credentials.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with a CVSS v4.0 score of 8.8 (High) and no upstream fix currently exists for SOPlanning 1.55 and below. HarborGuard re-evaluates the CERT-PL advisory on every ingest cycle so that a patched-image rebuild becomes available the moment an upstream fix is published; for customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will proceed automatically at that point. In the interim, compensating controls worth considering include network-policy isolation that restricts inbound HTTP access to the SOPlanning service to known trusted IP ranges, egress filtering to prevent the service from making unexpected outbound connections, and reviewing whether the backup endpoints can be disabled or blocked at the reverse-proxy or ingress layer via a feature-flag or routing rule while awaiting the vendor patch.

See how HarborGuard automates this

Affected packages

SOPlanning / SOPlanning
≤ 1.55

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified