Access Control Bypass in Peplink InControl 2 Product
CVE-2026-57920

7.7HIGH

Key Information:

Vendor: Peplink
Status: Incontrol
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-57920?

An access control bypass vulnerability exists in Peplink InControl 2, allowing unauthorized users to circumvent restrictions on specific REST API endpoints by using semicolons. This affects versions of InControl 2 prior to the June 3, 2026 update. Attackers can exploit this flaw to gain unintended access, potentially compromising sensitive organizational data.

Affected Version(s)

InControl 0 < 2026-06-03

References

https://drive.google.com/file/d/1MoZn73YkDGGpqOgaQbRU1hWV...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 26, 2026

CVE-2026-57920 Data

JSON