CVE-2026-21671
Modified
Modified - Updated After Analysis
Remote Code Execution in Veeam Backup HA via Backup Admin Role
Publication date: 2026-03-12
Last updated on: 2026-05-10
Assigner: HackerOne
Description
Description
A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| veeam | veeam_backup_&_replication | From 13.0.0.496 (inc) to 13.0.1.1071 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
