Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to privilege escalation or information disclosure. Successful exploitation requires an attacker to send a specially crafted HTTP request. This vulnerability affects NI SystemLink Enterprise 2026-04 and prior versions.
AnalysisAI
Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Technical ContextAI
NI SystemLink Enterprise is National Instruments' centralized platform for managing distributed test, measurement, and engineering systems, with a web-based Dashboard used by engineers to monitor instruments, assets, and test data across an organization. The affected component (CPE cpe:2.3:a:ni:systemlink_enterprise:*) exposes an HTTP interface whose authentication layer can be bypassed via a specially crafted request. The root cause maps to CWE-306 (Missing Authentication for a Critical Function), meaning a sensitive endpoint or function fails to verify the requester's identity before processing the request, allowing operations that should be gated by login or role checks to be invoked anonymously.
RemediationAI
Apply the fixed release identified in NI's security advisory at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/authentication-bypass-vulnerability-in-ni-systemlink-enterprise.html; the input data does not include an exact patched version string, so treat this as patch available per vendor advisory and confirm the target version directly with NI before deployment. Until upgraded, restrict network reachability of the SystemLink Enterprise Dashboard to trusted management subnets via firewall or reverse-proxy ACLs and require VPN access, accepting that this removes broad engineer access from untrusted networks. Place the Dashboard behind an authenticating reverse proxy (for example an SSO-enforcing gateway) so that the vulnerable HTTP endpoints are not directly reachable, noting that this may break clients that bypass the proxy. Increase HTTP access logging and alert on anonymous requests reaching authenticated paths so any exploitation attempts before patching are visible.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33411
GHSA-f5mf-h7w7-c35x