Authentication Bypass Vulnerability in MOVEit Automation by Progress Software
CVE-2026-4670

9.8CRITICAL

Key Information:

Vendor

Progress Software
Status
Moveit Automation
Vendor
CVE Published:
30 April 2026

Badges

๐Ÿ“ˆ Score: 1,310๐Ÿ’ฐ Ransomware๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2026-4670?

CVE-2026-4670 is a significant vulnerability identified within the MOVEit Automation software suite developed by Progress Software. This software is commonly utilized for automating file transfer processes among various enterprises and is a critical tool for managing sensitive data workflows. The vulnerability specifically involves an authentication bypass, which means that attackers could potentially gain unauthorized access to the system without proper authentication credentials. This can significantly jeopardize an organization's data security, as it allows attackers to manipulate, exfiltrate, or destroy sensitive information without detection. The versions affected by this vulnerability include MOVEit Automation from 2025.0.0 before 2025.0.9 and from 2024.0.0 before 2024.1.8, along with any versions prior to 2024.0.0.

Potential impact of CVE-2026-4670

  1. Unauthorized Access: The most immediate risk associated with this vulnerability is the potential for unauthorized access to the MOVEit Automation system. Attackers exploiting this flaw could bypass security mechanisms and gain control over file transfer operations, leading to the theft or manipulation of sensitive data.

  2. Data Breaches: With the ability to access critical data without authentication, organizations face an increased risk of data breaches. Sensitive information, including customer data and proprietary business processes, could be exposed, leading to financial loss and reputational damage.

  3. Disruption of Services: The ability to exploit this vulnerability might also allow attackers to disrupt normal operations. Unauthorized changes to file transfer configurations could lead to service outages or data loss, severely impacting an organization's operational continuity and trust with clients and stakeholders.

Affected Version(s)

MOVEit Automation 2025.0.0 < 2025.0.9

MOVEit Automation 2024.0.0 < 2024.1.8

MOVEit Automation 0 < 2024.0.0

News Articles

favicon imageThe Hacker News

Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass

MOVEit Automation flaws (CVE-2026-4670, CVE-2026-5174) enable bypass and escalation, risking enterprise data exposure.

2 weeks ago

favicon imageBleepingComputer

Progress warns of critical MOVEit Automation auth bypass flaw

Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application.

2 weeks ago

References

https://community.progress.com/s/article/MOVEit-Automatio...
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ’ฐ

    Used in Ransomware

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Credit

Airbus SecLab
Anaรฏs Gantet
Delphine Gourdou
Quentin Liddell
Matteo Ricordeau
.