CVE-2026-2695 PUBLISHED

Lack of Server-side validation in Instruction Input in TeamViewer DEX Platform (On-Premises)

Assigner: TV
Reserved: 18.02.2026 Published: 13.05.2026 Updated: 13.05.2026

A command injection vulnerability was discovered in TeamViewer DEX Platform On-Premises (former 1E DEX Platform On-Premises) prior to version 9.2. Improper input validation allows authenticated users with at least questioner privileges to inject commands in specific instructions. Exploitation could lead to execution of elevated commands on devices connected to the platform.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 6.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	TeamViewer
Product	DEX (On-Premises)
Versions	Default: unaffected affected from 0 to 9.2 (excl.)

Solutions

Update to the latest version (v9.2 or the latest available version).

Credits

Lockheed Martin Red Team finder

References

https://www.teamviewer.com/de/resources/trust-center/security-bulletins/tv-2026-1004/

Problem Types

CWE-20 Improper input validation CWE