Skip to main content

TeamViewer DEX CVE-2026-8381

| EUVDEUVD-2026-31420 MEDIUM
Missing Authorization (CWE-862)
2026-05-22 TV GHSA-x4qq-w73c-72mv
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 22, 2026 - 09:33 vuln.today
Patch available
May 22, 2026 - 09:01 EUVD

DescriptionCVE.org

A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges to perform actions and access resources intended only for higher‑privileged roles. An attacker with low‑privileged credentials may exploit this to gain unauthorized access to administrative or sensitive functionality.

AnalysisAI

Broken access control in TeamViewer DEX Platform (On-Premises) before version 9.2 allows authenticated low-privileged users to invoke administrative API endpoints and access sensitive resources outside their authorized scope. The root cause is CWE-862 (Missing Authorization) - backend API endpoints omit proper role-based authorization checks despite confirming user identity. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, but the network-accessible attack vector and low complexity make exploitation straightforward for any user holding valid platform credentials.

Technical ContextAI

TeamViewer DEX is an on-premises digital employee experience platform with a backend API layer. CWE-862 (Missing Authorization) describes a pattern where code performs authentication - confirming the user's identity - but skips or incorrectly implements the authorization step that enforces what that identity is permitted to do. The affected component is the backend API surface, where certain endpoints expose administrative or sensitive operations without checking the caller's role. The affected CPE is cpe:2.3:a:teamviewer:dex_(on-premises):*:*:*:*:*:*:*:*, covering all versions from 0 up to (but not including) 9.2 as cataloged by ENISA EUVD-2026-31420 and the vendor's own advisory TV-2026-1005. The tag 'Authentication Bypass' aligns with the practical effect: a user authenticated at a low-privilege tier can bypass intended role boundaries.

RemediationAI

Upgrade TeamViewer DEX Platform (On-Premises) to version 9.2 or later, which is the vendor-confirmed fix release per advisory TV-2026-1005 at https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1005/. If immediate patching is not operationally feasible, restrict access to the DEX administrative API endpoints at the network perimeter using firewall rules that limit API reachability to trusted IP ranges or dedicated administrative networks, reducing the pool of potential authenticated attackers. Additionally, audit and minimize the number of active low-privileged accounts on the platform, and enable API access logging to detect anomalous calls to high-privilege endpoints as a compensating detective control. Network segmentation does not remediate the underlying CWE-862 authorization flaw and must be treated as a temporary measure only; patching to 9.2 remains the required remediation.

Share

CVE-2026-8381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy