CVE-2026-28254 MEDIUM

CVE-2026-28254: Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

Vendor Trane

Product Tracer SC

Weakness CWE-862 · Missing authorization

Published March 12, 2026

Last update March 12, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.

Key dates

02Disclosure timeline

March 12, 2026 CVE published

March 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28254 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2022-3512 Lock WARP switch bypass using warp-cli 'add-trusted-ssid' command CVE-2024-43981 WordPress GeoDirectory plugin <= 2.3.70 - Broken Access Control vulnerability CVE-2024-32818 WordPress MDTF – Meta Data and Taxonomies Filter plugin <= 1.3.3 - Broken Access Control vulnerability CVE-2026-45625 Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs CVE-2025-26871 WordPress Essential Blocks plugin <= 4.8.3 - Broken Access Control vulnerability

Identifiers

CVE CVE-2026-28254

CWE CWE-862

CVSS 6.9 / MEDIUM

Affected versions

Vendor Trane

Product Tracer SC

Affected < v4.4 SP7

Vendor Trane

Product Tracer SC+

Affected < v6.3.2310

Vendor Trane

Product Tracer Concierge

Affected < v6.3.2310