CVE-2026-50502
Insufficient granularity of access control in Windows Event Logging Service allows an authorized attacker to execute code over a network.
CVSS
8.0
High
EPSS
0.6%
p45
KEV
—
Exploit Today
14
0-100
Published: Jul 14, 2026 · Last modified: Jul 16, 2026 · CWE-1220
0.6%EPSS · 30 days0.6%
2026-07-152026-07-16
Insufficient granularity of access control in Windows Event Logging Service allows an authorized attacker to execute code over a network.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-561557.8 HIG30.2%
KEV—59Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability 1dCVE-2026-393637.5 HIG85.4%
——26Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.2dCVE-2026-491707.8 HIG83.0%
——25Insufficient granularity of access control in Windows StateRepository API allows an authorized attacker to elevate privileges locally.7hCVE-2025-44049.1 CRI76.4%
——23A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.16dCVE-2026-409817.5 HIG35.3%
——11When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects.
Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.2dCVE-2025-691966.5 MED28.0%
——8FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2.2d