CVE-2026-51947
Received Received - Intake

Deserialization Vulnerability in Pivotal CRM

Vulnerability report for CVE-2026-51947, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: MITRE

Description

An issue in Pivotal CRM 6.6.4.08 and systems using patch-ghi-15381-cwe-502-20251225.zip (fixed in Pivotal CRM 6.6.5.10 and Patch_CWE502_20260316.zip) allows a remote attacker to execute arbitrary code via the Pivotal.Engine.Client.Services.Conversion.dll component. NOTE: this issue exists because of an incomplete fix for CVE-2026-39253.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
pivotal pivotal_crm 6.6.4.08
pivotal pivotal_crm 6.6.5.10
pivotal pivotal_crm From 6.6.5.10 (inc)
pivotal pivotal_crm to 6.6.5.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows a remote attacker to execute arbitrary code on affected systems running vulnerable versions of Pivotal CRM or those using the incomplete patch. Remote code execution (RCE) can lead to full system compromise, unauthorized access, data theft, or disruption of services.

Because the attacker can bypass security controls in the deserialization process, they can run malicious payloads remotely without needing direct access to the system, increasing the risk and potential impact.

Executive Summary

CVE-2026-51947 is a security vulnerability in Pivotal CRM 6.6.4.08 and systems using a specific patch from December 2025. It is a regression issue caused by an incomplete fix for a previous vulnerability (CVE-2026-39253). The original fix replaced an insecure deserialization method (BinaryFormatter) with JSON.NET but did not properly enforce security controls.

Specifically, the patch left the JSON deserialization setting TypeNameHandling set to Auto without assigning a SerializationBinder, which allowed attackers to bypass allowlist restrictions by sending malicious JSON payloads containing arbitrary $type properties. This enabled remote attackers to execute arbitrary code remotely by exploiting gadget chains like ObjectDataProvider.

The vulnerability targets the DLL Pivotal.Engine.Client.Services.Conversion.dll and was fixed in Pivotal CRM 6.6.5.10 and a March 2026 patch that properly implements a SafeJsonSerializationBinder and blocks legacy BinaryFormatter payloads.

Detection Guidance

To detect this vulnerability, security scans should focus on identifying the presence of insecure deserialization issues flagged as CWE-502 and check for usage of the BinaryFormatter in the Pivotal.Engine.Client.Services.Conversion.dll component.

Specifically, detection involves verifying if the affected Pivotal CRM version 6.6.4.08 or systems using the patch-ghi-15381-cwe-502-20251225.zip are present, and whether the vulnerable DLL is in use.

While no explicit commands are provided in the resources, typical approaches include scanning for the DLL file version and monitoring network traffic for suspicious serialized payloads containing arbitrary $type properties indicative of malicious JSON payloads.

Administrators can also check the configuration of JSON deserialization settings, such as whether TypeNameHandling is set to Auto without a SerializationBinder, which is a key indicator of vulnerability.

Mitigation Strategies

Immediate mitigation involves applying the updated patch released by Pivotal in March 2026 (Patch_CWE502_20260316.zip) or upgrading to Pivotal CRM version 6.6.5.10 or later.

This patch properly implements a SafeJsonSerializationBinder and includes a first-byte check to block legacy BinaryFormatter payloads, effectively preventing remote code execution.

If both the Smart Client and PBS Server are in use, patch the PBS Server first, then the Smart Client.

After patching, users may need to sign in again to ensure the new security controls are active.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart