<Vulnerability name="CVE-2026-48614">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Critical</ThreatSeverity>
    <PublicDate>2026-07-06T16:46:05</PublicDate>
    <Bugzilla id="2497412" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497412" xml:lang="en:us">
Plesk: Plesk: Privilege escalation via improper authorization in XML API
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>9.9</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-15</CWE>
    <Details xml:lang="en:us" source="Mitre">
An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Plesk. An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives. This can result in arbitrary file write as root, leading to full privilege escalation on the underlying server.
    </Details>
    <Statement xml:lang="en:us">
Critical:An improper authorization vulnerability exists in the Plesk XML API that allows an authenticated user to inject arbitrary configuration directives, potentially resulting in arbitrary file writes as root and privilege escalation. Although the go-acme/lego dependency is present, Red Hat OpenShift Dev Spaces does not ship or use the affected Plesk functionality. Therefore, the vulnerable code path is not exposed in this product.
    </Statement>
    <Mitigation xml:lang="en:us">
Red Hat OpenShift Dev Spaces is not affected because it does not ship or rely on Plesk or expose the Plesk XML API. The vulnerable functionality resides within the Plesk-specific integration of the go-acme/lego library, which is not used by the product. Authentication is also required to exploit the vulnerability. No product changes are required.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>devspaces/traefik-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-48614
https://nvd.nist.gov/vuln/detail/CVE-2026-48614
https://support.plesk.com/hc/en-us/articles/41171817973143-Vulnerability-in-Plesk-XML-API
    </References>
</Vulnerability>