CVE-2026-6066

HIGH

Unencrypted Client‑Server Communication in ConnectWise Automate™ Solution Center

Title source: cna

Description

ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.

References (1)

Core 1

Core References

https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin

Scores

CVSS v3 7.1

EPSS 0.0008

EPSS Percentile 0.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-319

Status published

Products (2)

connectwise/automate < 2026.4

ConnectWise/Automate All versions prior to 2026.4

Published Apr 20, 2026

Tracked Since Apr 20, 2026