eastbaycyber

CVE-2026-5200: Acme Portal Password Reset Token Exposure

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-20
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

TL;DR - Acme Portal before 4.2.7 can leak password reset tokens via /api/debug/reset. - Internet-facing instances are most exposed; upgrade to 4.2.7+ and review logs now. - Public PoC exists; in-the-wild exploitation is not confirmed from KEV.

Field Value
CVE ID CVE-2026-5200
CVSS score 7.5 (High)
Attack vector Network
Auth required None
Patch status Fixed in Acme Portal 4.2.7

Vulnerability at a Glance

CVE-2026-5200 is a high-severity information disclosure issue in Acme Portal. According to the NVD description, Acme Portal before version 4.2.7 exposes password reset tokens via a verbose debug endpoint when crafted unauthenticated requests are sent to /api/debug/reset. In practical terms, this means a remote attacker does not need credentials or user interaction to retrieve sensitive reset data from a reachable instance.

The impact goes beyond simple data exposure. Password reset tokens are typically sufficient to complete a password reset workflow for the targeted account. That makes this bug operationally closer to an account takeover enabler than a benign debug leak. The CVSS vector reflects the low barrier to exploitation: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Confidentiality impact is rated high, while integrity and availability are not directly scored by CVSS, even though account takeover can obviously have downstream business impact.

What This Vulnerability Is and Why It Matters

The vulnerability is rooted in a verbose debug endpoint exposed at /api/debug/reset. Based on the available record, specially crafted unauthenticated requests can trigger output that includes password reset tokens. That behavior is a textbook CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Even if the endpoint was intended for troubleshooting, exposing reset artifacts to unauthenticated callers collapses the trust boundary around the password recovery process.

For defenders, the “so what” is straightforward: if an attacker can harvest valid reset tokens, they may be able to reset user passwords without phishing, malware, or prior account access. That can lead to immediate compromise of administrative or customer accounts, depending on how Acme Portal is used in your environment. Any deployment reachable from untrusted networks should be treated as high priority, especially because the attack requires no authentication, no user interaction, and low complexity.

AnalystImpact · assess the risk

Affected Versions and Fixed Release

The affected product is Acme Portal, with the NVD record stating that all versions before 4.2.7 are vulnerable. The fixed version explicitly listed is 4.2.7. Because the vendor advisory and GitHub advisory pages were not retrievable during collection, there is no independently confirmed narrower affected range available here beyond the NVD wording.

Defenders should therefore work from the conservative assumption that every Acme Portal deployment running any version earlier than 4.2.7 is affected until they can validate otherwise through vendor documentation in their own environment. If you maintain version inventories via CMDB, package management, container image tags, or deployment manifests, use those records to identify all instances below 4.2.7 and prioritize internet-facing and externally accessible systems first.

Product Affected Versions Fixed Version
Acme Portal Before 4.2.7 4.2.7

CVSS Score Breakdown

CVE-2026-5200 has a CVSS v3.1 base score of 7.5 (High). The vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Each component matters operationally. AV:N means the bug is reachable over the network. AC:L means exploitation is not expected to require unusual conditions. PR:N and UI:N mean an attacker does not need an account or user assistance to trigger the flaw.

The score emphasizes confidentiality impact (C:H) because the bug leaks sensitive reset tokens. The CVSS vector does not score direct integrity or availability damage, but security teams should not read that as “low business risk.” In this case, exposed tokens can be used to reset passwords and compromise accounts. That can become an identity, fraud, or lateral movement event even if the initial bug is categorized as information disclosure.

Exploitation Status

There is a meaningful difference between public exploitability and confirmed active exploitation, and defenders should keep both in view here. The available data says public PoC code is available. That matters because proof-of-concept code reduces the effort required for opportunistic scanning and exploitation, especially for internet-facing targets. Once a PoC exists, lower-skill actors can often operationalize it quickly.

At the same time, confirmed exploitation in the wild is not established from CISA KEV. The KEV lookup for this CVE is false, meaning it is not currently listed in the Known Exploited Vulnerabilities catalog. That does not prove nobody is exploiting it; it only means there is no KEV-backed confirmation at this time. The right defender assumption is: treat this as exploitable and likely to be probed, even if broad in-the-wild exploitation has not been publicly confirmed.

Signal Status
Public PoC available Yes
CISA KEV listed No
Confirmed in the wild from KEV No
Defender assumption Exploitation is feasible and likely to be attempted
ResponderRunbook · act now

How to Detect It

Detection should start with HTTP access logs, reverse proxy logs, WAF telemetry, and application logs for requests to /api/debug/reset. Because the endpoint is described as unauthenticated, any direct requests from untrusted IP space should be treated as suspicious until proven otherwise. If your normal application workflow never calls that path from browsers or approved internal automation, the signal quality may be high.

You should also review for post-exposure account activity that could indicate successful token abuse. That includes password reset completions, unusual password-change events, logins from new IPs shortly after debug endpoint access, and step-up authentication prompts or lockouts affecting high-value accounts. If logs are incomplete, assume some exposure may have occurred and focus on privileged users, external administrators, and customer support accounts first.

Technical Notes

A simple first-pass grep on web logs can help identify requests hitting the vulnerable endpoint:

grep -R '"/api/debug/reset' /var/log/nginx/ /var/log/httpd/ 2>/dev/null

Example suspicious log patterns to hunt for:

203.0.113.45 - - [20/May/2026:08:14:22 +0000] "GET /api/debug/reset HTTP/1.1" 200 842 "-" "curl/8.5.0"
198.51.100.72 - - [20/May/2026:08:15:03 +0000] "POST /api/debug/reset HTTP/1.1" 200 913 "-" "python-requests/2.32.0"
192.0.2.14 - - [20/May/2026:08:16:41 +0000] "GET /api/debug/reset?user=admin HTTP/1.1" 200 877 "-" "Mozilla/5.0"

If you use Splunk, a basic query to surface likely probing looks like this:

index=web OR index=proxy
(uri_path="/api/debug/reset" OR url="*/api/debug/reset*")
| stats count min(_time) as first_seen max(_time) as last_seen values(src_ip) as src_ip values(user_agent) as user_agent values(status) as status by host
| convert ctime(first_seen) ctime(last_seen)

For Elastic / Kibana environments, an equivalent KQL search could be:

url.path : "/api/debug/reset" or url.original : "*\/api\/debug\/reset*"

If you have IDS or network telemetry, look for a simple HTTP URI match:

alert http any any -> $HOME_NET any (msg:"Possible CVE-2026-5200 probing - Acme Portal debug reset endpoint"; flow:to_server,established; http.uri; content:"/api/debug/reset"; nocase; sid:52002600; rev:1;)

Mitigation and Patching

The primary remediation is clear from the available record: upgrade Acme Portal to version 4.2.7 or later. Because the vendor advisory content was not retrievable, there is no authoritative workaround text available beyond patching. In the absence of vendor-confirmed compensating controls, defenders should not assume that hiding the endpoint, rate limiting, or relying on authentication middleware is a sufficient substitute for upgrading.

If immediate upgrade is not possible, apply temporary exposure reduction measures while you plan emergency maintenance. These should include restricting access to the Acme Portal application, especially from the public internet; blocking requests to /api/debug/reset at the reverse proxy or WAF if that path is not required; and reviewing recent password reset events for suspicious activity. After patching, consider invalidating outstanding password reset tokens and forcing password resets for accounts you believe may have been exposed.

Technical Notes

If you manage Acme Portal as a containerized service, upgrade by pulling and deploying version 4.2.7 or later. The exact image name is environment-specific, so verify against your internal registry or deployment manifests before running commands. A generic Docker-style example:

docker pull acme/portal:4.2.7
docker stop acme-portal
docker rm acme-portal
docker run -d --name acme-portal -p 443:8443 acme/portal:4.2.7

For Kubernetes-style deployments, update the image tag and roll out the change:

kubectl set image deployment/acme-portal acme-portal=acme/portal:4.2.7
kubectl rollout status deployment/acme-portal

If you cannot patch immediately, a temporary reverse-proxy block for the debug endpoint may reduce exposure. Example NGINX configuration:

location = /api/debug/reset {
    deny all;
    return 403;
}

Reload after validating configuration:

nginx -t && systemctl reload nginx

Because the endpoint leaks reset tokens, defenders should also consider invalidating active reset artifacts after patching if the application supports it. If the product has a token store in a database or cache, use the vendor-supported maintenance process where available. If no documented process exists, coordinate with application owners before deleting reset data to avoid disrupting legitimate recovery workflows.

Response Priorities for Practitioners

First, identify every Acme Portal instance running a version before 4.2.7. Second, determine exposure: internet-facing systems, systems behind VPN, and internal-only systems should be triaged separately, with public exposure taking priority. Third, review logs for requests to /api/debug/reset, especially from unknown IPs, automation user agents, or bursts of requests across multiple hosts.

Fourth, if you find evidence of suspicious access, move from vulnerability management to incident response. Review affected accounts, reset credentials, invalidate sessions where supported, rotate privileged passwords, and check for follow-on activity such as unusual login patterns or administrative changes. Because this issue can enable account takeover, successful exploitation may not leave malware-style artifacts; identity and audit logs become central to scoping.

References

The most authoritative source used here is the NVD CVE record for CVE-2026-5200. The NVD description is the basis for the affected versions, endpoint path, vulnerability type, and fixed release. The CISA KEV lookup confirms only that the issue is not currently listed in KEV.

Additional references were present in the CVE record but could not be fully validated during collection due retrieval issues on the referenced pages. Defenders should consult those pages directly from a trusted environment if available to confirm any updated vendor guidance, patch notes, or PoC details before making operational decisions.

For further reading on related vulnerabilities, check out our glossary on what is CVE and the daily threat digest.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-20

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.