CVE-2026-9089

HIGH

ConnectWise Automate < 2026.5 - Download of Code Without Integrity Check

Title source: llm

Description

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.

References (1)

Core 1

Core References

https://www.connectwise.com/company/trust/security-bulletins/2026-05-21-connectwise-automate-bulletin

Scores

CVSS v3 8.8

EPSS 0.0019

EPSS Percentile 8.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-494

Status published

Products (2)

connectwise/automate < 2026.5

ConnectWise/Automate All versions prior to 2026.5

Published May 21, 2026

Tracked Since May 21, 2026