What is the CVSS score of CVE-2026-35066?

CVE-2026-35066 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H. EPSS exploitation probability: 0.2%.

Which versions of Dell PowerFlex Manager are affected by CVE-2026-35066?

Dell PowerFlex Manager contains an access control flaw allowing low-privilege users to trigger denial-of-service conditions and compromise storage configuration integrity.

How to fix or mitigate CVE-2026-35066?

24 hours: Identify all Dell PowerFlex Manager instances, document user access levels, and assess network exposure from low-privileged user segments. 7 days: Restrict PowerFlex Manager access to named administrative accounts only; implement role-based access controls at the network level and audit existing user privileges. 30 days: Subscribe to Dell security advisories for DSA-2026-066 patch release; prepare staging environment for upgrade testing upon vendor patch availability.

Dell PowerFlex Manager CVE-2026-35066

HIGH

Improper Access Control (CWE-284)

2026-06-17 dell

Dell Authentication Bypass Denial Of Service Powerflex

7.1

CVSS 3.1 · Vendor: dell

Severity by source

Vendor (dell) PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

vuln.today AI

7.1 HIGH

Network-reachable management API, low-priv account suffices (PR:L), no UI; primary impact is service outage (A:H) with minor integrity side effects and no confidentiality loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorVendor: dell

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 15:37 vuln.today

DescriptionCVE.org

Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

AnalysisAI

Improper access control in Dell PowerFlex Manager allows a low-privileged remote attacker to trigger a denial-of-service condition and tamper with integrity-sensitive operations against the software-defined storage management plane. Dell disclosed the issue in advisory DSA-2026-066, and at the time of analysis no public exploit has been identified and the CVE is not on the CISA KEV list.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-priv PowerFlex credentials

Delivery

Reach management API over network

Exploit

Invoke privileged endpoint missing authz check

Execution

Trigger denial-of-service on management plane

Impact

Disrupt storage administration and orchestration

Access

Obtain low-priv PowerFlex credentials

Delivery

Reach management API over network

Exploit

Invoke privileged endpoint missing authz check

Execution

Trigger denial-of-service on management plane

Impact

Disrupt storage administration and orchestration

Vulnerability AssessmentAI

Exploitation	Requires network reachability to the Dell PowerFlex Manager management interface (UI or REST API) and possession of valid credentials for any low-privileged PowerFlex role (PR:L per the CVSS vector), with no user interaction needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H produces a 7.1 (High) score driven by High availability impact reachable over the network with only Low privileges and no user interaction, which is meaningful because PowerFlex Manager governs primary storage for virtualization and database workloads where outages cascade. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has phished or otherwise obtained a low-privilege PowerFlex Manager account - for example a read-only operator or a compromised automation service account - reaches the management endpoint over the network and invokes a privileged API call that should be gated behind an admin role. The improper access control check lets the request through, knocking the management service or an underlying orchestrated component offline and cutting administrators off from managing the storage cluster; no public exploit identified at time of analysis.
Remediation	Patch available per Dell vendor advisory DSA-2026-066 - administrators should consult https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities for the exact fixed PowerFlex Manager version applicable to their deployment and upgrade through the standard PowerFlex lifecycle workflow. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Dell PowerFlex Manager instances, document user access levels, and assess network exposure from low-privileged user segments. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35065 HIGH This Week

8.8 Jun 17

Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke pr

CVE-2026-32804 HIGH This Week

8.1 Jun 17

Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain

CVE-2026-49502 HIGH This Week

8.1 Jun 17

Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypas

CVE-2026-35069 HIGH This Week

8.0 Jun 17

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL comm

CVE-2026-35067 HIGH This Week