CVE-2026-26095 – CVE-2026-26095 is an incorrect permission assig... (How to Fix)

Q: What is the severity of CVE-2026-26095?

CVE-2026-26095 has a CVSS score of 5.5 (MEDIUM). CVE-2026-26095 is an incorrect permission assignment vulnerability in Owl opds 2.2.0.4 that allows attackers to manipulate files through crafted network requests. This affects systems running vulnerable versions of Owl opds, potentially allowing unauthorized file access or modification.

📋 TL;DR

CVE-2026-26095 is an incorrect permission assignment vulnerability in Owl opds 2.2.0.4 that allows attackers to manipulate files through crafted network requests. This affects systems running vulnerable versions of Owl opds, potentially allowing unauthorized file access or modification.

💻 Affected Systems

Products:

Owl opds

Versions: 2.2.0.4

Operating Systems: All platforms running Owl opds

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Owl opds 2.2.0.4 are vulnerable by default.

📦 What is this software?

Opds Talon by Owlcyberdefense

View all CVEs affecting Opds Talon →

Opds Talon by Owlcyberdefense

View all CVEs affecting Opds Talon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through file manipulation leading to remote code execution, data theft, or service disruption.

🟠

Likely Case

Unauthorized file access or modification, potentially exposing sensitive data or disrupting application functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the vulnerable service but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26095

Restart Required: No

Instructions:

No official patch available. Monitor vendor for updates and apply when released.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Owl opds service to trusted IPs only

iptables -A INPUT -p tcp --dport [owl_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [owl_port] -j DROP

Service Isolation

all

Run Owl opds in isolated network segment or container

docker run --network isolated_network owl_opds:2.2.0.4

🧯 If You Can't Patch

Implement strict network segmentation to isolate Owl opds from untrusted networks
Apply principle of least privilege to file system permissions where Owl opds operates

🔍 How to Verify

Check if Vulnerable:

Check Owl opds version: grep -i version /path/to/owl/config or check package manager

Check Version:

owl-opds --version or check installed package version

Verify Fix Applied:

Verify version is updated beyond 2.2.0.4 when patch becomes available

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in Owl opds logs
Failed permission checks in system logs

Network Indicators:

Unusual network traffic to Owl opds port from untrusted sources
Multiple failed file manipulation attempts

SIEM Query:

source="owl_opds.log" AND ("permission denied" OR "file access" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2026-26095

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-732

Published: February 20, 2026

Last Updated: February 27, 2026

🔗 References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26095 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26095, you might also want to check these: