CVE-2016-10086 in Service Desk Manager
Summary
by MITRE
RESTful web services in CA Service Desk Manager 12.9 and CA Service Desk Management 14.1 might allow remote authenticated users to read or modify task information by leveraging incorrect permissions applied to a RESTful request.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability identified as CVE-2016-10086 affects CA Service Desk Manager versions 12.9 and CA Service Desk Management 14.1, representing a critical access control flaw within their RESTful web services implementation. This issue stems from improper permission validation mechanisms that fail to adequately enforce security boundaries when processing RESTful API requests. The vulnerability specifically targets authenticated users who can exploit misconfigured access controls to gain unauthorized access to task information within the service desk management system.
The technical flaw manifests through insufficient input validation and authorization checks within the RESTful service endpoints. When authenticated users make requests to the web services, the system fails to properly verify whether the requesting user possesses appropriate permissions for the specific task data being accessed or modified. This misconfiguration creates a path for privilege escalation where legitimate users can manipulate API requests to access information outside their designated authorization scope. The vulnerability operates at the application layer and leverages the existing authentication mechanisms rather than bypassing them entirely.
The operational impact of this vulnerability extends beyond simple data exposure, as it enables both information disclosure and data modification capabilities. An authenticated attacker can potentially read sensitive task information including user details, service requests, incident reports, and other confidential data that should remain restricted to authorized personnel. Additionally, the modification capability allows attackers to alter task records, potentially corrupting service desk data or manipulating workflow processes. This creates significant risks for organizations relying on service desk systems for critical business operations and compliance requirements.
Security professionals should consider this vulnerability in the context of CWE-285 which addresses improper authorization scenarios in software systems. The flaw aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through legitimate system access. Organizations should implement immediate mitigations including comprehensive access control reviews, patch management for affected versions, and monitoring of API access patterns for suspicious activities. The remediation process requires thorough validation of permission models and implementation of proper input sanitization to ensure that all RESTful endpoints enforce strict authorization checks based on user roles and entitlements.