Skip to main content

Absolute Secure Access EUVDEUVD-2026-26430

| CVE-2026-40950 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-30 Absolute
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
May 01, 2026 - 15:28 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 23:30 vuln.today
Patch available
Apr 30, 2026 - 22:02 EUVD
CVSS changed
Apr 30, 2026 - 21:22 NVD
7.1 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 20:45 euvd
EUVD-2026-26430
Analysis Generated
Apr 30, 2026 - 20:45 vuln.today
CVE Published
Apr 30, 2026 - 20:19 nvd
HIGH 7.1

DescriptionCVE.org

CVE-2026-40950 is a buffer overflow vulnerability in the Secure Access server prior to 14.50. Attackers with control of a modified client can send a specially crafted message to the server and cause a denial of service

AnalysisAI

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modified client software to crash the server through specially crafted messages. This denial-of-service vulnerability requires low-privilege authentication and presents moderate real-world risk given the client modification prerequisite. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis.

Technical ContextAI

This is a buffer overflow vulnerability (classic memory corruption class) affecting the Absolute Secure Access server component, which provides remote access management and endpoint security capabilities. The vulnerability exists in the server's message parsing or handling logic when processing client communications. Affected product identified via CPE cpe:2.3:a:absolute_software:secure_access:*:*:*:*:*:*:*:* encompasses all Secure Access versions prior to 14.50. Buffer overflows occur when input data exceeds allocated memory boundaries without proper bounds checking, allowing memory corruption. In this case, the flaw is triggered by specially crafted messages from modified clients, suggesting insufficient input validation in the server's client communication protocol handler. The CVSS 4.0 vector indicates network-accessible attack surface with low complexity but requires authenticated access, limiting the attack surface to environments where an attacker has obtained valid credentials or compromised a legitimate client.

RemediationAI

Upgrade Absolute Secure Access server to version 14.50 or later, which contains the vendor-released patch addressing this buffer overflow vulnerability. Consult the vendor advisory at https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40950 for specific upgrade procedures and compatibility considerations. If immediate patching is not feasible, implement network segmentation to restrict Secure Access server access to trusted networks only, reducing exposure to potential attackers with modified clients. Monitor server logs for unusual client communication patterns, repeated connection attempts, or crash events that could indicate exploitation attempts. Consider temporarily disabling Secure Access server internet exposure and requiring VPN access for legitimate users until patching is complete-this trades convenience for security by eliminating direct internet attack surface. Review and strengthen authentication requirements to ensure only authorized users can authenticate to the server, reducing the pool of potential authenticated attackers. Note that workarounds reduce but do not eliminate risk, as insider threats or compromised credentials still enable exploitation.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

CVE-2024-37343 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prio

Share

EUVD-2026-26430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy