| CVE ID | CVE-2026-53902 |
| Publication date | 01 July 2026 |
| Vendor | MyComplianceOffice |
| Product | MCO |
| Vulnerable versions | 25.3.3.1 |
| Vulnerability type (CWE) | Incorrect Privilege Assignment (CWE-266) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-53903 |
| Publication date | 01 July 2026 |
| Vendor | MyComplianceOffice |
| Product | MCO |
| Vulnerable versions | 25.3.3.1 |
| Vulnerability type (CWE) | Authorization Bypass Through User-Controlled Key (CWE-639) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-53904 |
| Publication date | 01 July 2026 |
| Vendor | MyComplianceOffice |
| Product | MCO |
| Vulnerable versions | 25.3.3.1 |
| Vulnerability type (CWE) | Improper Restriction of Excessive Authentication Attempt (CWE-307) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-53905 |
| Publication date | 01 July 2026 |
| Vendor | MyComplianceOffice |
| Product | MCO |
| Vulnerable versions | 25.3.3.1 |
| Vulnerability type (CWE) | Incorrect Authorization (CWE-863) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-53906 |
| Publication date | 01 July 2026 |
| Vendor | MyComplianceOffice |
| Product | MCO |
| Vulnerable versions | 25.3.3.1 |
| Vulnerability type (CWE) | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-53907 |
| Publication date | 01 July 2026 |
| Vendor | MyComplianceOffice |
| Product | MCO |
| Vulnerable versions | 25.3.3.1 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-53908 |
| Publication date | 01 July 2026 |
| Vendor | MyComplianceOffice |
| Product | MCO |
| Vulnerable versions | 25.3.3.1 |
| Vulnerability type (CWE) | Observable Response Discrepancy (CWE-204) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-53909 |
| Publication date | 01 July 2026 |
| Vendor | MyComplianceOffice |
| Product | MCO |
| Vulnerable versions | 25.3.3.1 |
| Vulnerability type (CWE) | Unrestricted Upload of File with Dangerous Type (CWE-434) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in MyComplianceOffice MCO software and participated in coordination of their disclosure.
The vulnerability CVE-2026-53902: MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation.
An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques.
The vulnerability CVE-2026-53903: MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier.
An attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information.
The vulnerability CVE-2026-53904: MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who provides victim's email and answer to their security question, can successfully initiate the reset process and continuously invalidate credentials, effectively locking the victim out of their account. Answering security questions has a limited number of tries which lowers the risk of this vulnerability.
The vulnerability CVE-2026-53905: MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks.
This may expose sensitive permission mappings and internal configuration details.
The vulnerability CVE-2026-53906: MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages.
The vulnerability CVE-2026-53907: MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened.
The vulnerability CVE-2026-53908: MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.
The vulnerability CVE-2026-53909: MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server.
Because vendor contact attempts were unsuccessful, vulnerabilities have only been confirmed in version 25.3.3.1 but may also affect other versions.
Credits
We thank Hubert Decyusz from AFINE Team for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.