CVE-2026-9089 PUBLISHED

Assigner: ConnectWise
Reserved: 20.05.2026 Published: 21.05.2026 Updated: 21.05.2026

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ConnectWise
Product	Automate
Versions	Default: unaffected Version All versions prior to 2026.5 is affected

Solutions

Cloud: Cloud instances have already been updated to the latest Automate release.

On-prem: Apply the 2026.5 release. For instruction on updating to the newest release, please reference this doc: ConnectWise Automate Release Notes 2026.5

References

https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin

Problem Types

CWE-494 Download of code without integrity check CWE

Impacts

CAPEC-186 Malicious Software Update