LiveActive security incident?Get immediate response
CVE Record

CVE-2022-26595: Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not proper...

Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This flaw lets a logged-in Liferay user see a list of sites or groups they should not be allowed to view. It is an access-control issue, not evidence of full system compromise. Business impact depends on whether site or group names reveal sensitive organizational structure, projects, customers, or internal communities.

Executive priority

Treat this as a moderate-priority confidentiality issue. It is most urgent where Liferay exposes sensitive site, group, customer, or project names to large populations of authenticated users.

Technical view

Affected Liferay Portal 7.3.7, 7.4.0, and 7.4.1, plus Liferay DXP 7.2 fix pack 13 and 7.3 fix pack 2, improperly check permissions in the user site membership assignment UI. A remote authenticated user can view site/group listings without proper authorization.

Likely exposure

Exposure is limited to deployments running the listed Liferay Portal or DXP versions where untrusted or broadly provisioned authenticated users can access the user site membership assignment UI.

Exploitation context

The provided sources describe remote authenticated unauthorized viewing of site/group lists. They do not report public exploitation, weaponized exploit availability, CVSS scoring, or CISA KEV listing.

Researcher notes

Evidence is narrow but consistent: the issue is improper permission checking around site/group list access through membership assignment UI. The source bundle does not provide CVSS, CWE mapping, patch version details, exploit indicators, or proof-of-concept material.

Mitigation direction

  • Review Liferay’s advisory for the vendor-supported fixed version or remediation path.
  • Prioritize upgrades for internet-facing or multi-tenant Liferay deployments.
  • Restrict access to user membership administration functions to trusted roles.
  • Audit low-privilege accounts that can reach membership assignment screens.
  • Monitor Liferay logs for unusual access to user membership management views.

Validation and detection

  • Inventory Liferay Portal and DXP versions against the affected versions listed in the advisory.
  • Confirm whether non-admin authenticated users can access membership assignment UI paths.
  • Verify authorization checks block site/group listing for users without required permissions.
  • Review recent access logs for unexpected site or group enumeration activity.
  • Document compensating controls if immediate upgrade is not possible.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-26595 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
2Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.