CVE-2026-9089 | THREATINT

Description

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.

PUBLISHED Reserved 2026-05-20 | Published 2026-05-21 | Updated 2026-05-22 | Assigner ConnectWise

HIGH: 8.8CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-494 Download of code without integrity check

Product status

Default status

unaffected

All versions prior to 2026.5

affected

References

www.connectwise.com/...6-05-21-connectwise-automate-bulletin

cve.org (CVE-2026-9089)

nvd.nist.gov (CVE-2026-9089)

Download JSON