CVE-2026-21661 HIGH

CVE-2026-21661: AC2000 Uncontrolled Search Path Element

Vendor Johnsoncontrols
Product AC2000
Weakness CWE-427
Published May 6, 2026
Last update May 6, 2026

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 6, 2026 Record updated