PT-2026-6358 — Github.Com/Lf-Edge/Eve

PT-2026-6358 · Go · Github.Com/Lf-Edge/Eve

Published

2026-02-04

Updated

2026-02-04

CVSS v3.1

5.9

Medium

Vector

AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Impact

On boot, Pillar checks for /config/GlobalConfig/global.json and overrides system configuration if present. This allows enabling debug functions like SSH (debug.enable.ssh), USB keyboard (debug.enable.usb), and VNC access (app.allow.vnc) without triggering the measured boot. Thus, a user with physical access can take out the disk and modify the content of this file in the /config partition and then re-insert the disk.

Patches

Fixed in 10.1.0 and 9.4.3-lts

Workarounds

None

Fix

Insufficiently Protected Credentials

Insecure Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-922

Related Identifiers

GHSA-4C4V-42HC-72P6

Affected Products