CVE-2026-7292 MEDIUM

CVE-2026-7292: o2oa NodeAgent NodeAgent.java syncFile improper authorization

Vendor N/A

Product o2oa

Weakness CWE-285

Published April 28, 2026

Last update April 29, 2026

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Key dates

Disclosure timeline

April 28, 2026 CVE published

April 29, 2026 Record updated