Authorization Flaw in WebPros Plesk XML-RPC API Exposes Sensitive Data
CVE-2026-56843
9.9CRITICAL
What is CVE-2026-56843?
An authorization flaw in the XML-RPC API of WebPros Plesk versions prior to 18.0.78.4 allows unauthorized low-privileged authenticated users to access domains they do not own. This is due to insufficient ownership checks for certain lookup filters, compounded by a bypass in schema validation for older protocol versions. Consequently, this vulnerability permits cross-tenant disclosure of FTP credentials stored in cleartext, potentially enabling attackers to execute code as another tenant's system user.
Affected Version(s)
Plesk 10.4 < 18.0.78.4
