Skip to main content

Secure Access CVE-2026-40957

| EUVDEUVD-2026-44791 MEDIUM
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-07-15 Absolute
6.1
CVSS 4.0 · Vendor: Absolute
Share

Severity by source

Vendor (Absolute) PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Network-reachable, no privileges required, but user interaction is mandatory; scope change reflects credential theft enabling high integrity impact on the Secure Access management plane.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (Absolute).

CVSS VectorVendor: Absolute

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 22:33 EUVD
Analysis Generated
Jul 15, 2026 - 20:34 vuln.today

DescriptionCVE.org

o CVE-2026-40957 is a frameable content vulnerability in the Secure Access server login page prior to 14.55. Attackers with control of a malicious web site could use it to potentially steal credentials from an unwary administrator.

AnalysisAI

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious site embedding Secure Access login iframe
Delivery
Phish administrator to visit malicious site
Exploit
Administrator enters credentials into framed login page
Execution
Attacker captures submitted credentials
Impact
Authenticate to Secure Access management console as administrator

Vulnerability AssessmentAI

Exploitation The attacker must control a malicious website and successfully social-engineer an administrator into visiting it and actively entering credentials - the CVSS 4.0 UI:A metric confirms active interaction is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.1 reflects a meaningful but not critical risk: AV:N/AC:L/AT:N/PR:N establish that exploitation is network-reachable with no configuration prerequisites, but UI:A (active user interaction) is a significant limiting factor requiring the administrator to visit and interact with a malicious site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain resembling an internal IT portal and hosts a page that invisibly overlays the Absolute Secure Access login page in a full-screen iframe. A phishing email or Slack message directs a Secure Access administrator to the malicious domain under a pretense (e.g., a fake password reset notice). …
Remediation Upgrade Absolute Secure Access to version 14.55 or later, which is the vendor-identified fix boundary per the advisory at https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40957. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

CVE-2024-37343 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prio

Share

CVE-2026-40957 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy