CVE-2026-33553

Vulnerability

Northern.tech CFEngine Enterprise versions 3.24.3 and earlier, and 3.27.0 and earlier, are affected by a cross-site scripting (XSS) vulnerability. This issue stems from an incorrect Content-Type HTTP header returned by certain API endpoints within the Mission Portal component, which can lead to the browser rendering data as executable JavaScript [1].

Exploitation

An attacker with low-privilege access to a Mission Portal account can exploit this vulnerability. They must craft a malicious link pointing to a specific API URL and trick an administrator into clicking this link. This user interaction is required to trigger the vulnerability, as it does not occur through normal UI navigation [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code within the context of an administrator's session. This can lead to privilege escalation, enabling the attacker to gain administrative access to the CFEngine hub and the infrastructure it manages [1].

Mitigation

CFEngine Enterprise versions 3.24.4 and 3.27.1, released on June 2, 2026, contain a fix for this vulnerability. Users are advised to upgrade to these or later versions. No workarounds are specified in the available references [1].