Skip to main content

MOVEit Automation EUVDEUVD-2026-31119

| CVE-2026-8488 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-20 ProgressSoftware GHSA-rcwv-f9jp-p684
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 20, 2026 - 16:02 vuln.today
Patch available
May 20, 2026 - 16:01 EUVD

DescriptionCVE.org

Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.

This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

AnalysisAI

Unauthenticated resource exhaustion in Progress Software MOVEit Automation enables a low-privileged remote attacker to degrade availability by triggering excessive resource allocation without server-side throttling controls. Affecting all MOVEit Automation releases prior to 2025.0.11 and the 2025.1.x branch prior to 2025.1.7, successful exploitation results in limited availability impact (A:L per CVSS) against the targeted instance. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis; the vendor has released patched versions.

Technical ContextAI

CWE-770 (Allocation of Resources Without Limits or Throttling) describes a failure to impose caps on resource consumption - such as memory, threads, connections, or processing time - allowing an attacker to starve the application of capacity. In MOVEit Automation (CPE: cpe:2.3:a:progress_software:moveit_automation:*:*:*:*:*:*:*:*), this is a server-side automation workflow engine by Progress Software. The CVSS vector (AV:N/AC:L/PR:L) indicates the vulnerable code path is reachable over the network with low complexity, but requires a low-privileged authenticated session, suggesting the allocation sink exists within an authenticated API or workflow execution surface. The scope is unchanged (S:U), meaning exploitation is contained within the MOVEit Automation process boundary and does not cascade to the underlying OS or adjacent systems.

RemediationAI

The primary remediation is to upgrade to a patched release: organizations on the stable branch should upgrade to MOVEit Automation 2025.0.11 or later; organizations on the 2025.1.x branch should upgrade to 2025.1.7 or later. Both fix versions are confirmed by the vendor advisory at https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html. If immediate patching is not feasible, compensating controls include restricting low-privileged account creation and auditing existing accounts to minimize the pool of authenticated users who could trigger the condition, rate-limiting inbound authenticated API requests at a WAF or reverse proxy layer, and monitoring for abnormal resource consumption spikes on the MOVEit Automation host. Note that network-layer throttling cannot fully substitute for the server-side fix, as the allocation logic itself remains unbounded; these controls reduce exposure but do not eliminate the risk.

Share

EUVD-2026-31119 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy