CVE-2026-50590: Mimecast Incydr Path Traversal Flaw

CVE-2026-50590 Overview

CVE-2026-50590 is an arbitrary file access vulnerability in Mimecast Incydr versions before 2.6.0. The flaw stems from incorrect permission assignment for critical resources [CWE-732], allowing a local attacker to read or interact with files outside the intended access boundary. Mimecast Incydr is an insider risk management agent that monitors data exfiltration and user activity on endpoints. Successful exploitation requires local access and high attack complexity, limiting opportunistic abuse. The vulnerability impacts confidentiality and integrity at a limited scope and does not affect availability. Mimecast addressed the issue in Incydr 2.6.0 according to the Insider Risk Agent release notes.

Critical Impact

A local attacker who meets specific runtime conditions can access files that should be restricted by the Incydr agent's permission model, potentially exposing monitored data or agent internals.

Affected Products

• Mimecast Incydr Insider Risk Agent versions prior to 2.6.0
• Endpoints running the affected Mimecast Incydr client
• Environments relying on Incydr for insider risk monitoring before the 2.6.0 release

Discovery Timeline

• 2026-06-05 - CVE-2026-50590 published to the National Vulnerability Database (NVD)
• 2026-06-05 - Last updated in NVD database

Technical Details for CVE-2026-50590

Vulnerability Analysis

The vulnerability is classified under [CWE-732] Incorrect Permission Assignment for Critical Resource. Mimecast Incydr, prior to version 2.6.0, assigns permissions to one or more files or resources in a manner that permits unintended actors to access them. Because the agent runs with elevated privileges to monitor user activity, files or directories created or managed by the agent may inherit permissions that allow a non-privileged local user to read sensitive content.

The attack vector is local (AV:L), requires no privileges or user interaction, and produces low confidentiality and integrity impact across a changed scope. Scope change indicates that the impacted resources extend beyond the security authority of the Incydr agent itself. High attack complexity reflects that exploitation depends on specific timing, file states, or environmental conditions rather than a trivial sequence of actions.

Root Cause

The root cause is improper permission assignment on resources managed by the Incydr agent. When files, directories, or interprocess communication endpoints are created without restrictive access control lists (ACLs), local users on the host can interact with them outside the intended trust boundary. Insider risk agents commonly write activity logs, staged artifacts, and configuration data to local storage, making correct permission hardening essential.

Attack Vector

Exploitation requires local access to a host running a vulnerable Incydr agent. An attacker authenticated as any local user can attempt to read or operate on agent-controlled resources without needing administrative rights. The high complexity rating suggests the attacker must satisfy non-trivial preconditions, such as racing the agent during specific operations or locating transient files. Public proof-of-concept code is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified code examples are available. Refer to the Mimecast Insider Risk Agent Release Notes for vendor technical details.

Detection Methods for CVE-2026-50590

Indicators of Compromise

• Unexpected access events on files and directories owned by the Mimecast Incydr agent from non-administrative user contexts
• Local user processes opening handles to Incydr working directories, log paths, or temporary artifacts
• Installed Incydr agent versions below 2.6.0 reported by software inventory tools

Detection Strategies

• Inventory all endpoints to identify hosts running Incydr versions earlier than 2.6.0 and prioritize them for upgrade
• Audit file system ACLs on Incydr installation and data directories to confirm only privileged accounts have read or write access
• Correlate local file access events with the originating process and user account to surface non-agent processes touching agent resources

Monitoring Recommendations

• Enable file integrity monitoring on Incydr agent directories to detect unauthorized reads or modifications
• Forward endpoint telemetry to a centralized analytics platform and alert on anomalous local access patterns against insider risk tooling
• Track agent version compliance continuously and flag any regression below 2.6.0

How to Mitigate CVE-2026-50590

Immediate Actions Required

• Upgrade Mimecast Incydr Insider Risk Agent to version 2.6.0 or later across all managed endpoints
• Validate that local non-administrative users cannot read Incydr-managed directories after upgrade
• Restrict interactive local logon on systems running Incydr to reduce the population of users able to attempt exploitation

Patch Information

Mimecast resolved CVE-2026-50590 in Incydr Insider Risk Agent version 2.6.0. Deployment details and version history are documented in the Mimecast Insider Risk Agent Release Notes. Apply the update through standard endpoint management tooling and verify the installed version after deployment.

Workarounds

• Apply restrictive ACLs to Incydr installation, data, and log directories so only SYSTEM and administrators can read them, where supported
• Limit local account provisioning on monitored endpoints and enforce least-privilege policies until patching completes
• Use application control to block unauthorized binaries from executing in user contexts that could attempt local exploitation

# Configuration example: verify installed Incydr agent version on Windows
powershell -Command "Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like '*Incydr*' } | Select-Object DisplayName, DisplayVersion"

# Linux/macOS: inspect agent package version
dpkg -l | grep -i incydr   # Debian/Ubuntu
rpm -qa | grep -i incydr   # RHEL/CentOS