Skip to main content

NI SystemLink Enterprise EUVDEUVD-2026-33411

| CVE-2026-9051 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-05-29 NI GHSA-f5mf-h7w7-c35x
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 29, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 29, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 29, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
May 29, 2026 - 19:22 NVD
9.1 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
May 29, 2026 - 18:50 vuln.today

DescriptionCVE.org

There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to privilege escalation or information disclosure.  Successful exploitation requires an attacker to send a specially crafted HTTP request.  This vulnerability affects NI SystemLink Enterprise 2026-04 and prior versions.

AnalysisAI

Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Technical ContextAI

NI SystemLink Enterprise is National Instruments' centralized platform for managing distributed test, measurement, and engineering systems, with a web-based Dashboard used by engineers to monitor instruments, assets, and test data across an organization. The affected component (CPE cpe:2.3:a:ni:systemlink_enterprise:*) exposes an HTTP interface whose authentication layer can be bypassed via a specially crafted request. The root cause maps to CWE-306 (Missing Authentication for a Critical Function), meaning a sensitive endpoint or function fails to verify the requester's identity before processing the request, allowing operations that should be gated by login or role checks to be invoked anonymously.

RemediationAI

Apply the fixed release identified in NI's security advisory at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/authentication-bypass-vulnerability-in-ni-systemlink-enterprise.html; the input data does not include an exact patched version string, so treat this as patch available per vendor advisory and confirm the target version directly with NI before deployment. Until upgraded, restrict network reachability of the SystemLink Enterprise Dashboard to trusted management subnets via firewall or reverse-proxy ACLs and require VPN access, accepting that this removes broad engineer access from untrusted networks. Place the Dashboard behind an authenticating reverse proxy (for example an SSO-enforcing gateway) so that the vulnerable HTTP endpoints are not directly reachable, noting that this may break clients that bypass the proxy. Increase HTTP access logging and alert on anonymous requests reaching authenticated paths so any exploitation attempts before patching are visible.

Share

EUVD-2026-33411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy