Skip to main content

Dell PowerFlex Manager CVE-2026-49502

HIGH
Improper Authentication (CWE-287)
2026-06-17 dell
Dell Authentication Bypass Information Disclosure Powerflex
8.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (dell) PRIMARY
HIGH
qualitative
NVD
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Adjacent management network reach (AV:A), no auth or interaction needed (PR:N/UI:N), low complexity, with high confidentiality and integrity impact but no availability effect per the description.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (dell).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Updated
Jun 22, 2026 - 19:00 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 18:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 18:53 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 18:53 NVD
7.4 (HIGH) 8.1 (HIGH)
Analysis Generated
Jun 17, 2026 - 15:35 vuln.today

DescriptionNVD

Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access.

AnalysisAI

Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypass authentication controls, resulting in information disclosure, data tampering, and unauthorized access to managed storage infrastructure. The vulnerability carries a CVSS 8.1 rating reflecting high confidentiality and integrity impact, though no public exploit identified at time of analysis and EPSS scores it at 0.19% probability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on adjacent management VLAN
Delivery
Discover PowerFlex Manager endpoint
Exploit
Send crafted unauthenticated request
Execution
Bypass authentication via CWE-287 flaw
Persist
Enumerate or tamper with storage configuration
Impact
Exfiltrate tenant data or alter provisioning
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must have adjacent-network access to the PowerFlex Manager interface - specifically Layer 2 reachability or routed access within the same management/storage broadcast domain, which typically means an existing presence on the storage fabric, management VLAN, or an adjacent hypervisor host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed: CVSS 8.1 (High) reflects strong confidentiality and integrity impact with no privileges required, but the AV:A constraint requires the attacker to already sit on an adjacent broadcast domain or management network - a meaningful barrier in well-segmented environments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained a foothold on the storage or management VLAN - for example via a compromised hypervisor host, a rogue device on the management switch, or a pivot from an adjacent tenant - sends crafted requests to the PowerFlex Manager interface that bypass authentication checks. The attacker then enumerates storage configuration, exfiltrates sensitive volume and tenant metadata, or modifies provisioning state to disrupt or backdoor storage allocations. …
Remediation Patch available per vendor advisory: consult Dell DSA-2026-066 at https://www.dell.com/support/kbdoc/en-us/000477538/dsa-2026-066-security-update-for-powerflex-software-multiple-vulnerabilities for the exact fixed PowerFlex Manager build and apply the vendor-supplied update during a maintenance window. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Dell PowerFlex Manager deployments and review management network segmentation; confirm only authorized personnel/systems have adjacent network access to PowerFlex management interfaces. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35065 HIGH
8.8 Jun 17

Missing authentication on a critical function in Dell PowerFlex Manager allows an adjacent-network attacker to invoke pr
CVE-2026-32804 HIGH
8.1 Jun 17

Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain

CVE-2026-35069 HIGH
8.0 Jun 17

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL comm
CVE-2026-35067 HIGH
8.0 Jun 17

Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass
CVE-2026-22283 HIGH
7.5 Jun 17

Information disclosure in Dell PowerFlex Manager versions prior to 4.8 stems from inclusion of functionality from an unt

Share

CVE-2026-49502 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy