CVE-2026-1241 (GCVE-0-2026-1241)

Vulnerability from cvelistv5 – Published: 2026-02-26 19:21 – Updated: 2026-02-26 20:43
VLAI?
Title
Authentication Bypass Using an Alternate Path or Channel in Pelco, Inc. Sarix Pro 3 Series IP Cameras
Summary
The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
Vendor Product Version
Pelco, Inc. Sarix Professional IMP 3 Series Affected: 0 , ≤ 02.52 (custom)
Create a notification for this product.
Credits
Souvik Kandar
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1241",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T20:43:12.875844Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T20:43:53.216Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Sarix Professional IMP 3 Series",
          "vendor": "Pelco, Inc.",
          "versions": [
            {
              "lessThanOrEqual": "02.52",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Sarix Professional IXP 3 Series",
          "vendor": "Pelco, Inc.",
          "versions": [
            {
              "lessThanOrEqual": "02.52",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Sarix Professional IBP 3 Series",
          "vendor": "Pelco, Inc.",
          "versions": [
            {
              "lessThanOrEqual": "02.52",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Sarix Professional IWP 3 Series",
          "vendor": "Pelco, Inc.",
          "versions": [
            {
              "lessThanOrEqual": "02.52",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Souvik Kandar"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.\u003cbr\u003e"
            }
          ],
          "value": "The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T19:21:26.754Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-02"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.\u003cbr\u003e\u003cbr\u003eMore information can be found by visiting Pelco, Inc\u0027s technical support page (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.pelco.com/support\"\u003ehttps://www.pelco.com/support\u003c/a\u003e) for assistance.\u003cbr\u003e"
            }
          ],
          "value": "Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.\n\nMore information can be found by visiting Pelco, Inc\u0027s technical support page ( https://www.pelco.com/support ) for assistance."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authentication Bypass Using an Alternate Path or Channel in Pelco, Inc. Sarix Pro 3 Series IP Cameras",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-1241",
    "datePublished": "2026-02-26T19:21:26.754Z",
    "dateReserved": "2026-01-20T18:26:34.854Z",
    "dateUpdated": "2026-02-26T20:43:53.216Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-1241\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2026-02-26T20:31:33.657\",\"lastModified\":\"2026-02-27T14:06:37.987\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-288\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-02\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1241\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-26T20:43:12.875844Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-26T20:43:17.816Z\"}}], \"cna\": {\"title\": \"Authentication Bypass Using an Alternate Path or Channel in Pelco, Inc. Sarix Pro 3 Series IP Cameras\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Souvik Kandar\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Pelco, Inc.\", \"product\": \"Sarix Professional IMP 3 Series\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"02.52\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Pelco, Inc.\", \"product\": \"Sarix Professional IXP 3 Series\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"02.52\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Pelco, Inc.\", \"product\": \"Sarix Professional IBP 3 Series\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"02.52\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Pelco, Inc.\", \"product\": \"Sarix Professional IWP 3 Series\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"02.52\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.\\n\\nMore information can be found by visiting Pelco, Inc\u0027s technical support page ( https://www.pelco.com/support ) for assistance.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.\u003cbr\u003e\u003cbr\u003eMore information can be found by visiting Pelco, Inc\u0027s technical support page (\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.pelco.com/support\\\"\u003ehttps://www.pelco.com/support\u003c/a\u003e) for assistance.\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-02\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-288\", \"description\": \"CWE-288 Authentication Bypass Using an Alternate Path or Channel\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2026-02-26T19:21:26.754Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-1241\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T20:43:53.216Z\", \"dateReserved\": \"2026-01-20T18:26:34.854Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2026-02-26T19:21:26.754Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.