CVE 8.8 HIGH

CVE-2026-9089_CVE-2026-9089

May 21, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.

AI Analysis

The ConnectWise Automate Agent is vulnerable to authentication bypass due to incomplete verification of components during plugin loading and self-update operations.

Basic Information

ID CVE-2026-9089

Source ConnectWise

Published May 21, 2026 at 14:32

Affected Product

Vendor ConnectWise

Product Automate

Version All versions prior to 2026.5

Affected Versions ConnectWise Automate All versions prior to 2026.5

CWE Classification

CWE-494

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor ConnectWise

Product Automate

Version All versions prior to 2026.5

References

www.connectwise.com /company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin

{
    "lastseen": "",
    "description": "The ConnectWise Automate\u2122 Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.",
    "published": "2026-05-21T14:32:14.029Z",
    "modified": "2026-05-21T14:32:14.029Z",
    "type": "cve",
    "title": "CVE-2026-9089",
    "source": "ConnectWise",
    "references": "https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin",
    "id": "CVE-2026-9089",
    "bulletinFamily": "",
    "cwe": [
        "CWE-494"
    ],
    "cvelist": null,
    "sourceData": "ConnectWise Automate All versions prior to 2026.5",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Automate",
    "version": "All versions prior to 2026.5",
    "vendor": "ConnectWise",
    "ai_description": "The ConnectWise Automate Agent is vulnerable to authentication bypass due to incomplete verification of components during plugin loading and self-update operations.",
    "ai_severity": "High",
    "ai_vendor": "ConnectWise",
    "ai_product": "Automate",
    "ai_version": "All versions prior to 2026.5",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply