{"api_version":"1","generated_at":"2026-06-02T10:06:55+00:00","cve":"CVE-2026-49002","urls":{"html":"https://cve.report/CVE-2026-49002","api":"https://cve.report/api/cve/CVE-2026-49002.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-49002","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-49002"},"summary":{"title":"Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product","description":"Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.","state":"PUBLISHED","assigner":"zte","published_at":"2026-05-27 09:16:32","updated_at":"2026-05-27 19:59:03"},"problem_types":["CWE-284","CWE-284 CWE-284: Improper Access Control"],"metrics":[{"version":"3.1","source":"psirt@zte.com.cn","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6783201397271515377","name":"https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6783201397271515377","refsource":"psirt@zte.com.cn","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-49002","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49002","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ZTE","product":"ZXUniPOS NDS-LTE","version":"affected V24.30.40CP02 and earlier versions","platforms":[]},{"source":"CNA","vendor":"ZTE","product":"ZXUniPOS NDS-LTE","version":"affected V24.40.40 and earlier versions","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Venom Nguyen","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"49002","cve":"CVE-2026-49002","epss":"0.000310000","percentile":"0.093320000","score_date":"2026-06-01","updated_at":"2026-06-02 00:05:21"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-49002","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-05-27T13:40:30.105103Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-27T13:40:37.935Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"ZXUniPOS NDS-LTE","vendor":"ZTE","versions":[{"status":"affected","version":"V24.30.40CP02 and earlier versions"},{"status":"affected","version":"V24.40.40 and earlier versions"}]}],"credits":[{"lang":"en","type":"finder","value":"Venom Nguyen"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.</p>"}],"value":"Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information."}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284: Improper Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-27T08:19:15.774Z","orgId":"6786b568-6808-4982-b61f-398b0d9679eb","shortName":"zte"},"references":[{"url":"https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/6783201397271515377"}],"source":{"discovery":"UNKNOWN"},"title":"Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"6786b568-6808-4982-b61f-398b0d9679eb","assignerShortName":"zte","cveId":"CVE-2026-49002","datePublished":"2026-05-27T08:19:15.774Z","dateReserved":"2026-05-27T01:01:53.326Z","dateUpdated":"2026-05-27T13:40:37.935Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 09:16:32","lastModifiedDate":"2026-05-27 19:59:03","problem_types":["CWE-284","CWE-284 CWE-284: Improper Access Control"],"metrics":{"cvssMetricV31":[{"source":"psirt@zte.com.cn","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"49002","Ordinal":"1","Title":"Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE produc","CVE":"CVE-2026-49002","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"49002","Ordinal":"1","NoteData":"Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.","Type":"Description","Title":"Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE produc"}]}}}