Skip to main content

Dell PowerFlex Manager CVE-2026-35067

HIGH
Improper Access Control (CWE-284)
2026-06-17 dell
Dell Authentication Bypass Powerflex
8.0
CVSS 3.1 · NVD
Share

Severity by source

Vendor (dell) PRIMARY
MEDIUM
qualitative
NVD
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Adjacent-network reachability to the management plane (AV:A), valid low-tier account required (PR:L), no user interaction, and full administrative takeover of storage cluster yields C:H/I:H/A:H.

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 22, 2026 - 18:59 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 18:53 vuln.today
cvss_changed
Severity Changed
Jun 22, 2026 - 18:53 NVD
MEDIUM HIGH
CVSS changed
Jun 22, 2026 - 18:53 NVD
5.7 (MEDIUM) 8.0 (HIGH)
Analysis Generated
Jun 17, 2026 - 15:42 vuln.today

DescriptionNVD

Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access.

AnalysisAI

Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass access controls and gain unauthorized elevated access to the management plane. The CVSS 8.0 (High) score reflects significant confidentiality, integrity, and availability impact, though there is no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.13% (3rd percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on adjacent management VLAN
Delivery
Authenticate with low-privilege PowerFlex account
Exploit
Invoke improperly gated management function
Execution
Escalate to administrative role
Impact
Access or tamper with storage cluster data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must (1) have network reachability to the PowerFlex Manager interface from the same adjacent/L2 network segment (AV:A precludes exploitation across the open internet or through routed segments not bridged to the management LAN), and (2) hold valid credentials for a low-privileged PowerFlex Manager account (PR:L) - fully unauthenticated exploitation is not supported by the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are sharply mixed and warrant careful prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised a low-privilege operator account - or pivoted onto the storage management VLAN from a breached jump host or monitoring appliance - sends crafted API or UI requests to PowerFlex Manager that invoke functions the authorization layer fails to gate, escalating to administrative privileges over the storage cluster. From there the attacker can read or tamper with tenant storage objects, alter cluster configuration, or disrupt availability. …
Remediation Patch available per vendor advisory - apply the fixed PowerFlex Manager release documented in Dell DSA-2026-066 (https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities); exact fix versions are not reproduced in the NVD record and must be read directly from the Dell knowledge base article. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Dell PowerFlex Manager installations in production and document their network location, management access scope, and user populations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35065 HIGH
8.8 Jun 17

Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke pr
CVE-2026-32804 HIGH
8.1 Jun 17

Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain

CVE-2026-49502 HIGH
8.1 Jun 17

Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypas
CVE-2026-35069 HIGH
8.0 Jun 17

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL comm
CVE-2026-22283 HIGH
7.5 Jun 17

Information disclosure in Dell PowerFlex Manager versions prior to 4.8 stems from inclusion of functionality from an unt

Share

CVE-2026-35067 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy