CVE-2026-33617 - Vulnerability Details - OpenCVE

An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Key SSVC decision points have not yet been added.

Vendors	Products
Mbconnectline	Mbconnect24 Mymbconnect24

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Mbconnectline	Mbconnect24 Mymbconnect24

References

Link	Providers
https://certvde.com/de/advisories/VDE-2026-030
https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mbconnectline Mbconnectline mbconnect24 Mbconnectline mymbconnect24
Vendors & Products		Mbconnectline Mbconnectline mbconnect24 Mbconnectline mymbconnect24

Thu, 02 Apr 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.
Title		MB connect line mbCONNECT24 vulnerable to an unauthenticated information disclosure in the data24 Endpoint
Weaknesses		CWE-497
References		https://certvde.com/de/advisories/VDE-2026-030 https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2026-04-02T09:00:10.713Z

Updated: 2026-04-02T09:00:17.434Z

Reserved: 2026-03-23T13:15:49.382Z

Link: CVE-2026-33617

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-02T10:16:17.260

Modified: 2026-04-02T10:16:17.260

Link: CVE-2026-33617

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:21:36Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33617", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-03-23T13:15:49.382Z", "datePublished": "2026-04-02T09:00:10.713Z", "dateUpdated": "2026-04-02T09:00:17.434Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "mbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.19.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "mymbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.19.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Moritz Abrell, Christian Z\u00e4ske from SySS GmbH"}], "datePublic": "2026-04-02T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.<br>"}], "value": "An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-04-02T09:00:17.434Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://certvde.com/de/advisories/VDE-2026-030"}, {"tags": ["vendor-advisory"], "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json"}], "source": {"advisory": "VDE-2026-030", "defect": ["CERT@VDE#641994"], "discovery": "EXTERNAL"}, "title": "MB connect line mbCONNECT24 vulnerable to an unauthenticated information disclosure in the data24 Endpoint", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.19.4]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "mbCONNECT24", "source": "cna", "vendor": "MB connect line"}, "product": "mbconnect24", "vendor": "mbconnectline"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.19.4]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "mymbCONNECT24", "source": "cna", "vendor": "MB connect line"}, "product": "mymbconnect24", "vendor": "mbconnectline"}], "analysis": {"en": {"generated_at": "2026-04-02T10:20:43.978259+00:00", "value": {"mitigation_remediation": ["Verify if the vendor has released a patch or update and apply it immediately", "Restrict access to the configuration files and the data24 Endpoint to authorized users only", "Check the vendor\u2019s website or support channels for any advisory or guidance", "Consider disabling or limiting directory listing and other features that expose configuration information"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts MB connect line products: mbCONNECT24 and mymbCONNECT24. No specific version range is documented, so the issue should be considered to affect all current and older releases of these products until a patch is issued.", "description_and_impact": "An unauthenticated remote attacker can read a configuration file that contains database credentials, resulting in a partial loss of confidentiality. The attack does not grant use of the credentials, but exposure of those secrets can still lead to data privacy concerns. The weakness is identified as CWE-497 (Insecure Interface Design).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity vulnerability. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. The attack vector is inferred to be remote and unauthenticated, leveraging the data24 Endpoint exposed by the affected application. The lack of a known exploit path and the moderate CVSS score imply that while the risk is present, immediate widespread exploitation is unlikely, but remediation is still recommended."}}}}, "created": "2026-04-02T20:12:56.639449+00:00", "updated": "2026-04-02T20:21:36.012465+00:00", "vendors": ["mbconnectline", "mbconnectline$PRODUCT$mbconnect24", "mbconnectline$PRODUCT$mymbconnect24"]}