What is the CVSS score of CVE-2026-6066?

CVE-2026-6066 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Automate are affected by CVE-2026-6066?

ConnectWise Automate Solution Center transmits sensitive client data in unencrypted communications, exposing confidential information to network interception by authenticated users with network…

How to fix or mitigate CVE-2026-6066?

Within 24 hours: Inventory all ConnectWise Automate Solution Center deployments and identify which versions are deployed (all versions before 2026.4 are affected). Within 7 days: Implement network segmentation to restrict Solution Center traffic to trusted network segments only and deploy TLS/SSL inspection or network monitoring to detect unencrypted sensitive data transmission. Within 30 days: Contact ConnectWise for patch availability timeline for version 2026.4 and plan upgrade; evaluate whether to migrate to alternative solutions if patch timeline is unacceptable.

Automate CVE-2026-6066

EUVD-2026-23875 HIGH

Cleartext Transmission of Sensitive Information (CWE-319)

2026-04-20 ConnectWise

GHSA-h2v9-xpqq-69hx

Information Disclosure Automate

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 20, 2026 - 19:07 vuln.today

cvss_changed

Analysis Generated

Apr 20, 2026 - 16:24 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 16:00 euvd

EUVD-2026-23875

Analysis Generated

Apr 20, 2026 - 16:00 vuln.today

CVE Published

Apr 20, 2026 - 15:26 nvd

HIGH 7.1

DescriptionCVE.org

ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.

AnalysisAI

Unencrypted client-server communications in ConnectWise Automate Solution Center expose sensitive data to network interception in all versions before 2026.4. Remote authenticated attackers with network access can capture Solution Center traffic containing potentially high-value confidential information (CVSS:3.1 C:H). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain valid Automate credentials

Delivery

Position network sniffer on Solution Center segment

Exploit

Capture unencrypted client-server traffic

Execution

Extract credentials and configuration data

Impact

Escalate privileges or pivot to managed endpoints