Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system.
AnalysisAI
Local privilege escalation in Absolute Secure Access Windows client versions prior to 14.50 allows authenticated local attackers to escalate privileges to SYSTEM level by sending malformed API data. The vulnerability stems from an arbitrary read/write flaw in the client's API handling. Vendor patch is available (version 14.50). EPSS score not available for this recent CVE; no public exploit identified at time of analysis, and not currently listed in CISA KEV.
Technical ContextAI
Absolute Secure Access is an endpoint security and access control solution for Windows environments. This vulnerability represents an arbitrary read/write condition in the Windows client's API interface that handles local IPC or service communications. The CVSS 4.0 vector indicates local attack surface (AV:L) with low complexity (AC:L) requiring low-privilege local user credentials (PR:L). Arbitrary read/write vulnerabilities typically allow attackers to manipulate memory or system structures by reading sensitive data to bypass protections (like ASLR) and writing crafted payloads to privileged memory regions. Without a mapped CWE, the specific root cause class is unclear, but common patterns include improper input validation (CWE-20), insufficient access control on API endpoints (CWE-284), or unsafe deserialization of API payloads. The affected CPE (cpe:2.3:a:absolute_software:secure_access) confirms this is the enterprise access control client rather than Absolute's broader endpoint management platform.
RemediationAI
Upgrade Absolute Secure Access Windows client to version 14.50 or later, as confirmed by vendor advisory at https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451. Organizations should prioritize endpoints with elevated risk profiles (administrative workstations, systems processing sensitive data) for immediate patching. If immediate upgrade is not feasible, implement compensating controls: restrict local logon rights to trusted users only via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), enable Windows Defender Application Control or AppLocker to prevent unauthorized code execution by low-privileged users, and monitor for unusual API calls or privilege escalation attempts via Sysmon Event ID 10 (process access) targeting the Secure Access client process. These mitigations reduce attack surface but do not eliminate the vulnerability; local administrators can often bypass these controls, and restricting logons may impact legitimate workflows. Deploy centralized patch management to track upgrade completion and identify systems running vulnerable versions via software inventory tools querying installed Secure Access client versions.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26423