CVE-2026-9089
Undergoing Analysis Undergoing Analysis - In Progress
ConnectWise Automate Agent Plugin Loading Authentication Bypass

Publication date: 2026-05-21

Last updated on: 2026-05-22

Assigner: ConnectWise

Description
The ConnectWise Automateβ„’ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-22
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-9089
EUVD
EUVD-2026-31290
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
connectwise automate to 2026.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in ConnectWise Automateβ„’ Agent involves the agent not fully verifying the authenticity of components it obtains during plugin loading and self-update operations.

Because of this lack of full integrity verification, unauthorized or malicious components could be executed by the agent.

This issue is identified as CWE-494, which refers to the download of code without integrity checks.

Impact Analysis

This vulnerability has a high impact on confidentiality, integrity, and availability.

An attacker with network access, but no privileges or user interaction, could exploit this vulnerability to execute unauthorized or malicious components.

This could lead to unauthorized access to sensitive information, modification or corruption of data, and disruption of services.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-9089 in ConnectWise Automateβ„’, you should update your ConnectWise Automate Agent to version 2026.5 or later.

This update addresses the issue where the agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations.

ConnectWise recommends prioritizing this update within your normal change management timelines but no longer than 30 days.

Cloud instances have already been updated, so on-premises users must apply the 2026.5 release as soon as possible.

For detailed instructions, refer to the ConnectWise Automate Release Notes for version 2026.5.

Compliance Impact

The vulnerability in ConnectWise Automateβ„’ Agent allows unauthorized or malicious components to be executed due to insufficient verification during plugin loading and self-update operations. This leads to high risks to confidentiality, integrity, and availability of the affected systems.

Such risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. Failure to address this vulnerability could result in unauthorized data access or system compromise, potentially violating these regulatory requirements.

ConnectWise has released an update (version 2026.5) to address this issue and recommends applying it within 30 days to mitigate these risks and support compliance efforts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart