Skip to main content

Absolute Secure Access CVE-2026-33451

| EUVDEUVD-2026-26423 HIGH
Out-of-bounds Read (CWE-125)
2026-04-30 Absolute
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
May 01, 2026 - 15:28 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 22:45 vuln.today
Patch available
Apr 30, 2026 - 22:02 EUVD
CVSS changed
Apr 30, 2026 - 21:22 NVD
8.5 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 20:30 euvd
EUVD-2026-26423
Analysis Generated
Apr 30, 2026 - 20:30 vuln.today
CVE Published
Apr 30, 2026 - 20:08 nvd
HIGH 8.5

DescriptionCVE.org

CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system.

AnalysisAI

Local privilege escalation in Absolute Secure Access Windows client versions prior to 14.50 allows authenticated local attackers to escalate privileges to SYSTEM level by sending malformed API data. The vulnerability stems from an arbitrary read/write flaw in the client's API handling. Vendor patch is available (version 14.50). EPSS score not available for this recent CVE; no public exploit identified at time of analysis, and not currently listed in CISA KEV.

Technical ContextAI

Absolute Secure Access is an endpoint security and access control solution for Windows environments. This vulnerability represents an arbitrary read/write condition in the Windows client's API interface that handles local IPC or service communications. The CVSS 4.0 vector indicates local attack surface (AV:L) with low complexity (AC:L) requiring low-privilege local user credentials (PR:L). Arbitrary read/write vulnerabilities typically allow attackers to manipulate memory or system structures by reading sensitive data to bypass protections (like ASLR) and writing crafted payloads to privileged memory regions. Without a mapped CWE, the specific root cause class is unclear, but common patterns include improper input validation (CWE-20), insufficient access control on API endpoints (CWE-284), or unsafe deserialization of API payloads. The affected CPE (cpe:2.3:a:absolute_software:secure_access) confirms this is the enterprise access control client rather than Absolute's broader endpoint management platform.

RemediationAI

Upgrade Absolute Secure Access Windows client to version 14.50 or later, as confirmed by vendor advisory at https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451. Organizations should prioritize endpoints with elevated risk profiles (administrative workstations, systems processing sensitive data) for immediate patching. If immediate upgrade is not feasible, implement compensating controls: restrict local logon rights to trusted users only via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally'), enable Windows Defender Application Control or AppLocker to prevent unauthorized code execution by low-privileged users, and monitor for unusual API calls or privilege escalation attempts via Sysmon Event ID 10 (process access) targeting the Secure Access client process. These mitigations reduce attack surface but do not eliminate the vulnerability; local administrators can often bypass these controls, and restricting logons may impact legitimate workflows. Deploy centralized patch management to track upgrade completion and identify systems running vulnerable versions via software inventory tools querying installed Secure Access client versions.

Share

CVE-2026-33451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy