Skip to main content

Secure Access EUVDEUVD-2026-44790

| CVE-2026-40956 LOW
2026-07-15 Absolute
2.1
CVSS 4.0 · Vendor: Absolute

Severity by source

Vendor (Absolute) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Network-reachable but requires MitM protocol control (AC:H) and active session (UI:R); only minor memory disclosure with no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Absolute).

CVSS VectorVendor: Absolute

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 22:33 EUVD
Analysis Generated
Jul 15, 2026 - 20:33 vuln.today

DescriptionCVE.org

CVE-2026-40956 is a memory disclosure vulnerability in Secure Access client versions prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can cause a small amount of random memory to leak.

AnalysisAI

Memory disclosure in Absolute Security Secure Access client (versions prior to 14.55) permits a small, indeterminate amount of process memory to leak to an adversary who has already achieved full control over the tunnel protocol. The CVSS 4.0 score of 2.1 accurately reflects the narrow real-world impact: an attacker must simultaneously possess intimate protocol knowledge and the ability to manipulate tunnel communications end-to-end, a prerequisite that dramatically limits the exploitable population. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MitM position on VPN path
Delivery
Acquire tunnel protocol internals
Exploit
Establish or intercept active client session
Execution
Craft malicious tunnel messages
Persist
Trigger memory boundary overread
Impact
Extract leaked process memory bytes

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker simultaneously hold two high-bar conditions: (1) 'intimate knowledge' of the Absolute Secure Access tunnel protocol internals, implying reverse-engineering or insider access to protocol specifications; and (2) 'total control over the tunnel protocol,' meaning the attacker must be able to inject or modify tunnel-layer messages in transit - a position equivalent to a fully capable man-in-the-middle on the VPN path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 rates this at 2.1 - among the lowest possible scores - driven by high attack complexity (AC:H), the presence of specific attack requirements (AT:P), required user interaction (UI:A), and only low confidentiality impact (VC:L) with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A sophisticated adversary positioned as a man-in-the-middle on the VPN path - for example, through a rogue gateway or compromised network segment - uses deep protocol knowledge to craft or manipulate tunnel messages sent to an active Secure Access client session. The malformed protocol exchange causes the client to respond with a reply containing a small portion of adjacent process memory. …
Remediation The primary remediation is upgrading the Absolute Security Secure Access client to version 14.55 or later, which is identified as the fixed release based on the description's 'versions prior to 14.55' boundary. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33445 HIGH
8.7 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep,

CVE-2026-40952 HIGH
8.5 Jul 15

Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p

CVE-2025-49080 HIGH
7.5 Jun 12

Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,

CVE-2026-0517 HIGH
7.5 Jan 17

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica

CVE-2026-40950 HIGH
7.1 Apr 30

Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi

CVE-2026-33443 HIGH
7.1 Jul 15

Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti

CVE-2026-55398 MEDIUM
6.9 Jul 15

Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know

CVE-2026-33444 MEDIUM
6.9 Jul 15

Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac

CVE-2026-40953 MEDIUM
6.7 Jul 15

Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p

CVE-2025-54088 MEDIUM
6.1 Oct 02

CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c

CVE-2026-40957 MEDIUM
6.1 Jul 15

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks

CVE-2024-37345 MEDIUM
5.4 Jun 20

There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to

Share

EUVD-2026-44790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy