Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.
AnalysisAI
Code integrity failure in ConnectWise Automate Agent versions prior to 2026.5 allows adjacent network attackers to substitute malicious components during plugin loading and self-update operations. The Automate agent does not fully verify the authenticity of downloaded components, enabling code execution at the agent's privilege level across managed endpoints. No public exploit identified at time of analysis, though the high CVSS score of 8.8 and the agent's deep system access make this a priority remediation for MSPs using the platform.
Technical ContextAI
ConnectWise Automate (formerly LabTech) is a remote monitoring and management (RMM) platform widely used by managed service providers to administer endpoint fleets. The agent component runs on managed endpoints and periodically downloads plugins and self-update payloads from the Automate server infrastructure. The vulnerability maps to CWE-494 (Download of Code Without Integrity Check), meaning the agent fetches executable components without sufficiently validating their cryptographic authenticity - for example, missing or weak signature verification on downloaded plugins and update binaries. The CPE cpe:2.3:a:connectwise:automate covers the Automate product line, and the EUVD record (EUVD-2026-31290) corroborates that all versions prior to 2026.5 are affected.
RemediationAI
Upgrade to ConnectWise Automate 2026.5 or later, the vendor-released patch identified in the ConnectWise security bulletin dated 2026-05-21 (https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin); this is the primary and authoritative fix. Until the upgrade can be staged across all managed endpoints, restrict the network segments where Automate agents operate so that only the legitimate Automate server is reachable for plugin and update traffic - segment agent VLANs, enforce egress filtering to known-good Automate server IPs/hostnames, and monitor for ARP spoofing or rogue DHCP on agent subnets given the AV:A adjacent-network attack vector. Consider temporarily pausing automatic plugin loading and self-update where the product allows, accepting the trade-off of delayed legitimate updates and manual plugin management overhead, and audit recent plugin/update activity for anomalies before patching.
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain acc
An XXE vulnerability exists in ConnectWise Automate before 2021.0.6.132. Rated critical severity (CVSS 9.8), this vulner
ConnectWise Automate through 2020.x has insufficient validation on certain authentication paths, allowing authentication
Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec
The Agent Update System in ConnectWise Automate before 2020.8 allows Privilege Escalation because the _LTUPDATE folder h
Unencrypted client-server communications in ConnectWise Automate Solution Center expose sensitive data to network interc
Connectwise Automate 2022.11 is vulnerable to Clickjacking. Rated medium severity (CVSS 6.1), this vulnerability is remo
Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Rated medium severity (CVSS 5.9), this vulnerabi
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain acc
Same weakness CWE-494 – Download of Code Without Integrity Check
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31290
GHSA-whv3-47vh-qhwp