High severity7.5NVD Advisory· Published Apr 10, 2026· Updated Apr 27, 2026

CVE-2026-23782

Description

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.

Affected products

BMC Software/Control M\/managed File Transfer
cpe:2.3:a:bmc:control-m\/managed_file_transfer:*:*:*:*:*:*:*:*
Range: >=9.0.20,<=9.0.22

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-308/nvdPatch
www.bmc.com/support/resources/issue-defect-management.htmlnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000