CVE-2026-9089 - Vulnerability Details - OpenCVE

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Connectwise	Automate

No data.

No data.

References

Link	Providers
https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin

History

Thu, 21 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title		Agent Fails to Verify Authenticity of Plugin Components During Update
First Time appeared		Connectwise Connectwise automate
Vendors & Products		Connectwise Connectwise automate

Thu, 21 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 21 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.
Weaknesses		CWE-494
References		https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: ConnectWise

Published: 2026-05-21T14:32:14.029Z

Updated: 2026-05-21T15:55:31.691Z

Reserved: 2026-05-20T15:02:32.409Z

Link: CVE-2026-9089

Vulnrichment

Updated: 2026-05-21T15:55:28.169Z

NVD

Status : Awaiting Analysis

Published: 2026-05-21T16:16:23.570

Modified: 2026-05-21T19:10:21.527

Link: CVE-2026-9089

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9089", "assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "state": "PUBLISHED", "assignerShortName": "ConnectWise", "dateReserved": "2026-05-20T15:02:32.409Z", "datePublished": "2026-05-21T14:32:14.029Z", "dateUpdated": "2026-05-21T15:55:31.691Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "shortName": "ConnectWise", "dateUpdated": "2026-05-21T14:32:14.029Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-494", "description": "CWE-494 Download of code without integrity check", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-186", "descriptions": [{"lang": "en", "value": "CAPEC-186 Malicious Software Update"}]}], "affected": [{"vendor": "ConnectWise", "product": "Automate", "modules": ["Agent"], "versions": [{"status": "affected", "version": "All versions prior to 2026.5"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ConnectWise Automate\u2122 Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The ConnectWise Automate\u2122 Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5."}]}], "references": [{"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Cloud:\u00a0Cloud instances have already been updated to the latest\nAutomate release.\u00a0\u00a0\u00a0\n\n\n\n\n\nOn-prem:\u00a0Apply the 2026.5\nrelease.\u00a0For instruction on updating to the newest release, please reference\nthis doc:\u00a0ConnectWise Automate Release\nNotes 2026.5", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><b>Cloud: </b><span>Cloud instances have already been updated to the latest\nAutomate release.  </span><span> </span></p>\n\n<p><b>On-prem:</b> <span>Apply the 2026.5\nrelease. </span><span>For instruction on updating to the newest release, please reference\nthis doc: </span><a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026/05\">ConnectWise Automate Release\nNotes 2026.5</a></p><p><b></b></p>\n\n<div>\n\n\n\n\n\n<div>\n\n<div><a></a>\n\n<p><br></p></div></div><div><div>\n\n</div>\n\n</div>\n\n</div>"}]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-21T15:55:22.083417Z", "id": "CVE-2026-9089", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-21T15:55:31.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-9089", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-21T15:55:22.083417Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-21T15:55:28.169Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-186", "descriptions": [{"lang": "en", "value": "CAPEC-186 Malicious Software Update"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ConnectWise", "modules": ["Agent"], "product": "Automate", "versions": [{"status": "affected", "version": "All versions prior to 2026.5"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Cloud:\u00a0Cloud instances have already been updated to the latest\nAutomate release.\u00a0\u00a0\u00a0\n\n\n\n\n\nOn-prem:\u00a0Apply the 2026.5\nrelease.\u00a0For instruction on updating to the newest release, please reference\nthis doc:\u00a0ConnectWise Automate Release\nNotes 2026.5", "supportingMedia": [{"type": "text/html", "value": "<p><b>Cloud: </b><span>Cloud instances have already been updated to the latest\nAutomate release.  </span><span> </span></p>\n\n<p><b>On-prem:</b> <span>Apply the 2026.5\nrelease. </span><span>For instruction on updating to the newest release, please reference\nthis doc: </span><a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026/05\">ConnectWise Automate Release\nNotes 2026.5</a></p><p><b></b></p>\n\n<div>\n\n\n\n\n\n<div>\n\n<div><a></a>\n\n<p><br></p></div></div><div><div>\n\n</div>\n\n</div>\n\n</div>", "base64": false}]}], "references": [{"url": "https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "The ConnectWise Automate\u2122 Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.", "supportingMedia": [{"type": "text/html", "value": "The ConnectWise Automate\u2122 Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-494", "description": "CWE-494 Download of code without integrity check"}]}], "providerMetadata": {"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "shortName": "ConnectWise", "dateUpdated": "2026-05-21T14:32:14.029Z"}}}, "cveMetadata": {"cveId": "CVE-2026-9089", "state": "PUBLISHED", "dateUpdated": "2026-05-21T15:55:31.691Z", "dateReserved": "2026-05-20T15:02:32.409Z", "assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "datePublished": "2026-05-21T14:32:14.029Z", "assignerShortName": "ConnectWise"}, "dataVersion": "5.2"}