Authorization Flaw in WebPros Plesk XML-RPC API Exposes Sensitive Data
CVE-2026-56843

9.9CRITICAL

Key Information:

Vendor

Webpros

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-56843?

An authorization flaw in the XML-RPC API of WebPros Plesk versions prior to 18.0.78.4 allows unauthorized low-privileged authenticated users to access domains they do not own. This is due to insufficient ownership checks for certain lookup filters, compounded by a bypass in schema validation for older protocol versions. Consequently, this vulnerability permits cross-tenant disclosure of FTP credentials stored in cleartext, potentially enabling attackers to execute code as another tenant's system user.

Affected Version(s)

Plesk 10.4 < 18.0.78.4

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.