How is CVE-2026-22283 exploited?

Network reachability (required): The attacker must reach the PowerFlex Manager service over the network; no local or physical access to the host is required. Authentication (not-required): No credentials or session token are needed; the vulnerable code path is accessible to unauthenticated remote requests. Victim interaction (required): A user must take some action (such as visiting a crafted link or loading attacker-influenced content) for the exploit to complete. Attack complexity (info): Exploitation depends on conditions beyond the attacker's direct control, such as specific race conditions, memory layout, or environmental state, making reliable exploitation harder than a straightforward request.

What is the impact of CVE-2026-22283?

A successful attacker reads sensitive information stored or processed by PowerFlex Manager, such as configuration data, credentials, or internal system details. Confidentiality of the affected host is fully compromised (CVSS C:H), meaning the attacker can access all data the service can reach. Integrity of stored data is also fully compromised (CVSS I:H), allowing the attacker to modify persisted configuration or management records. Availability of the service is fully compromised (CVSS A:H), meaning the attacker can crash or render PowerFlex Manager unresponsive.

Back to search

HIGHCVE-2026-22283Published 2026-06-17Modified 2026-06-17CNA dell

CVE-2026-22283: Dell PowerFlex Manager, version(s) Version prior to 4

Dell PowerFlex Manager, version(s) Version prior to 4.8, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 4.5.5.2 or later
Affected Products: 1

HarborGuard Analysis

Synopsis

An Inclusion of Functionality from Untrusted Control Sphere vulnerability affects Dell PowerFlex Manager versions prior to 4.8. The flaw is reachable over the network without authentication, though exploitation requires victim interaction and favorable environmental conditions. Successful exploitation gives an attacker access to sensitive information from the affected system. Patched-image rebuilds at versions 4.5.5.2 and 5.1.0.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-22283 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Dell PowerFlex Manager. Coverage applies to both registry scans and inline pipeline checks at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at versions 4.5.5.2 or 5.1.0.1 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the PowerFlex Manager service over the network; no local or physical access to the host is required.
AuthenticationNot required
No credentials or session token are needed; the vulnerable code path is accessible to unauthenticated remote requests.
Victim interactionRequired
A user must take some action (such as visiting a crafted link or loading attacker-influenced content) for the exploit to complete.
Attack complexityDetail
Exploitation depends on conditions beyond the attacker's direct control, such as specific race conditions, memory layout, or environmental state, making reliable exploitation harder than a straightforward request.

Blast Radius

A successful attacker reads sensitive information stored or processed by PowerFlex Manager, such as configuration data, credentials, or internal system details.
Confidentiality of the affected host is fully compromised (CVSS C:H), meaning the attacker can access all data the service can reach.
Integrity of stored data is also fully compromised (CVSS I:H), allowing the attacker to modify persisted configuration or management records.
Availability of the service is fully compromised (CVSS A:H), meaning the attacker can crash or render PowerFlex Manager unresponsive.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication and matches against every customer image that bundles an affected Dell PowerFlex Manager version, including internally built images. Where compliance policy permits and auto-remediation is enabled, HarborGuard rebuilds the image at version 4.5.5.2 (for the 4.x line) or 5.1.0.1 (for the 5.x line), runs a regression test, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the rebuild is staged and flagged for manual review. Until a rebuilt image is deployed, network-policy isolation of the PowerFlex Manager service and egress filtering to limit untrusted external connections are available as compensating controls within HarborGuard's policy engine.

See how HarborGuard automates this

Fix available

4.5.5.2 or later5.1.0.1 or later

Affected packages

Dell / PowerFlex
< 5.1.0.1 or later (from 0) · < 4.5.5.2 or later (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

dell.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available