CVE-2026-4670

Critical

Published: 30 April 2026

Published

30 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 45.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the authentication bypass vulnerability by requiring timely identification, reporting, and correction of software flaws through vendor patches.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources, preventing unauthorized actions enabled by the authentication bypass.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requires unique identification and authentication for organizational users, directly countering authentication bypass weaknesses in the MOVEit Automation software.

Security SummaryAI

CVE-2026-4670 is an authentication bypass vulnerability stemming from a primary weakness (CWE-305) in Progress Software's MOVEit Automation. The issue allows attackers to circumvent authentication mechanisms entirely. It affects MOVEit Automation versions from 2025.0.0 prior to 2025.0.9, from 2024.0.0 prior to 2024.1.8, and all versions prior to 2024.0.0. Published on April 30, 2026, the vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.

An unauthenticated attacker with network access can exploit this vulnerability remotely with low attack complexity and no user interaction required. Exploitation bypasses authentication, enabling the attacker to achieve high impacts on confidentiality, integrity, and availability, such as unauthorized access to sensitive data, modification of configurations, or disruption of automation tasks.

Progress Software has issued a Critical Security Alert Bulletin addressing CVE-2026-4670 (along with CVE-2026-5174), available at https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174. Mitigation requires upgrading to patched versions: 2025.0.9 or later for the 2025 branch and 2024.1.8 or later for the 2024 branch.

Details

CWE(s): CWE-305

Affected Products

progress

moveit automation

≤ 2024.1.8 · 2025.0.0 — 2025.1.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The authentication bypass in the network-accessible MOVEit Automation application directly enables remote exploitation of a public-facing application without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174
Vendor Advisory · security@progress.com