CVE-2026-5756

Vulnerability

Overview

DRC INSIGHT's Central Office Services (COS) exposes a unified API router that blends content-serving and administrative APIs without separation. The /v0/configuration endpoint, intended for management, is accessible to any unauthenticated system on the same local network as the COS server. The endpoint accepts user-supplied JSON payloads without validation or authorization checks, allowing an attacker to modify the server's configuration file (CVE-2026-5756). This design flaw enables a wide range of malicious actions by any unauthenticated or compromised device on the network [1].

Exploitation

An attacker with network access to the COS server can directly submit requests to the /v0/configuration endpoint, bypassing authentication and origin validation. The endpoint persists the attacker's JSON payload without verifying its content or the safety of the requested changes. This requires no prior authentication and no special privileges beyond network access [1].

Impact

Successful exploitation can lead to mass data exfiltration by overwriting storage configuration values, redirecting test artifacts, responses, or audio recordings to attacker-controlled external services. An attacker could also intercept or manipulate outbound HTTPS traffic by inserting a malicious httpsProxy setting, rerouting communications with DRC validation or content services through an attacker-controlled proxy. Furthermore, malformed JSON, invalid port bindings, or incorrect service endpoints could disrupt operations by preventing the server from starting or interfering with active assessments [1].

Mitigation

Data Recognition Corporation (DRC) has not yet released a public patch or advisory on its own website. The CERT/CC vulnerability note VU#748485 serves as the primary advisory. No workaround is documented; DRC INSIGHT operators should isolate the COS server on a trusted network segment, restrict network access to authorized devices, and apply any vendor-supplied update when available [1][2].