CVE-2022-26595: Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not proper...
Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.
Security readout for executives and security teams
Plain-English summary
This flaw lets a logged-in Liferay user see a list of sites or groups they should not be allowed to view. It is an access-control issue, not evidence of full system compromise. Business impact depends on whether site or group names reveal sensitive organizational structure, projects, customers, or internal communities.
Executive priority
Treat this as a moderate-priority confidentiality issue. It is most urgent where Liferay exposes sensitive site, group, customer, or project names to large populations of authenticated users.
Technical view
Affected Liferay Portal 7.3.7, 7.4.0, and 7.4.1, plus Liferay DXP 7.2 fix pack 13 and 7.3 fix pack 2, improperly check permissions in the user site membership assignment UI. A remote authenticated user can view site/group listings without proper authorization.
Likely exposure
Exposure is limited to deployments running the listed Liferay Portal or DXP versions where untrusted or broadly provisioned authenticated users can access the user site membership assignment UI.
Exploitation context
The provided sources describe remote authenticated unauthorized viewing of site/group lists. They do not report public exploitation, weaponized exploit availability, CVSS scoring, or CISA KEV listing.
Researcher notes
Evidence is narrow but consistent: the issue is improper permission checking around site/group list access through membership assignment UI. The source bundle does not provide CVSS, CWE mapping, patch version details, exploit indicators, or proof-of-concept material.
Mitigation direction
Review Liferay’s advisory for the vendor-supported fixed version or remediation path.
Prioritize upgrades for internet-facing or multi-tenant Liferay deployments.
Restrict access to user membership administration functions to trusted roles.
Audit low-privilege accounts that can reach membership assignment screens.
Monitor Liferay logs for unusual access to user membership management views.
Validation and detection
Inventory Liferay Portal and DXP versions against the affected versions listed in the advisory.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-26595 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 19, 2022, 12:52 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.