CVE-2026-33451 - Vulnerability Details - OpenCVE

CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Absolute	Secure Access

No data.

No data.

References

Link	Providers
https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451

History

Fri, 01 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 01 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Absolute Absolute secure Access
Vendors & Products		Absolute Absolute secure Access

Fri, 01 May 2026 05:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-269 CWE-277

Thu, 30 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system.
Title		Arbitrary read/write vulnerability in Windows clients prior to 14.50
References		https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451
Metrics		cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Absolute

Published: 2026-04-30T20:08:03.213Z

Updated: 2026-05-01T14:36:19.832Z

Reserved: 2026-03-19T23:04:05.696Z

Link: CVE-2026-33451

Vulnrichment

Updated: 2026-05-01T14:36:16.170Z

NVD

Status : Awaiting Analysis

Published: 2026-04-30T21:16:31.800

Modified: 2026-05-01T15:28:29.083

Link: CVE-2026-33451

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33451", "assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079", "state": "PUBLISHED", "assignerShortName": "Absolute", "dateReserved": "2026-03-19T23:04:05.696Z", "datePublished": "2026-04-30T20:08:03.213Z", "dateUpdated": "2026-05-01T14:36:19.832Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b6533044-ea05-4482-8458-7bddeca0d079", "shortName": "Absolute", "dateUpdated": "2026-04-30T20:08:03.213Z"}, "title": "Arbitrary read/write vulnerability in Windows clients prior to 14.50", "affected": [{"vendor": "Absolute Software", "product": "Secure Access", "platforms": ["Windows"], "modules": ["Windows client"], "versions": [{"status": "affected", "version": "0", "lessThan": "14.50", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system."}]}], "references": [{"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-01T14:36:03.654479Z", "id": "CVE-2026-33451", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-01T14:36:19.832Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Arbitrary read/write vulnerability in Windows clients prior to 14.50", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Absolute Software", "modules": ["Windows client"], "product": "Secure Access", "versions": [{"status": "affected", "version": "0", "lessThan": "14.50", "versionType": "custom"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system.", "supportingMedia": [{"type": "text/html", "value": "CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system.", "base64": false}]}], "providerMetadata": {"orgId": "b6533044-ea05-4482-8458-7bddeca0d079", "shortName": "Absolute", "dateUpdated": "2026-04-30T20:08:03.213Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33451", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-01T14:36:03.654479Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-05-01T14:36:16.170Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33451", "state": "PUBLISHED", "dateUpdated": "2026-04-30T20:08:03.213Z", "dateReserved": "2026-03-19T23:04:05.696Z", "assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079", "datePublished": "2026-04-30T20:08:03.213Z", "assignerShortName": "Absolute"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system."}], "id": "CVE-2026-33451", "lastModified": "2026-05-01T15:28:29.083", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "SecurityResponse@netmotionsoftware.com", "type": "Secondary"}]}, "published": "2026-04-30T21:16:31.800", "references": [{"source": "SecurityResponse@netmotionsoftware.com", "url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451"}], "sourceIdentifier": "SecurityResponse@netmotionsoftware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}