How is CVE-2026-32999 exploited?

Network reachability (required): The attacker must reach the Comet Backup server's signing module over the network; the service must be exposed to the attacker's network path. Authentication (not-required): No pre-existing account is required to begin the attack; the CVE vector specifies PR:N, meaning privilege escalation originates from publicly accessible tenant administrator provisioning rather than a credential the attacker must already hold. Note: the vulnerability description states the attacker acts as an authenticated tenant administrator, so gaining that role is part of the attack path. Victim interaction (not-required): No user action or social engineering is needed; exploitation is fully attacker-driven with no required victim interaction (UI:N). Attack complexity (info): Attack complexity is rated High (AC:H), meaning the attacker must navigate specific environmental conditions or timing constraints, such as particular server state or configuration, rather than launching a simple, always-reliable exploit.

What is the impact of CVE-2026-32999?

The attacker executes arbitrary code in the context of a privileged user on the Comet Backup server, gaining full command execution over the host. Confidentiality impact is High: the attacker reads backup data, stored credentials, configuration secrets, and any customer records accessible to the privileged process. Integrity impact is High: the attacker modifies or poisons backup archives, agent configurations, and persisted server data on the affected host. Availability impact is High with scope change (S:C): the attacker can crash or disable the backup server and disrupt connected backup agent devices, taking down backup coverage for all tenants on the affected instance.

Back to search

CRITICALCVE-2026-32999Published 2026-05-28Modified 2026-05-28CNA hackerone

CVE-2026-32999: Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices

Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An insufficient character filtering vulnerability in the backup agent signing module of Comet Backup server allows an authenticated tenant administrator to inject and execute arbitrary code on behalf of a privileged user. The attack is reachable over the network, requires no prior authentication beyond a tenant administrator account, and can spread impact beyond the affected server to connected devices. Successful exploitation gives an attacker full control over the server and connected backup clients, including the ability to read, modify, or destroy all data handled by the service. Patched-image rebuilds at versions 26.4.3 and 26.5.0 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-32999 is available across every HarborGuard environment. Vulnerability metadata is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Comet Backup components, across registries and CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.1 (Critical) and weighting findings against each customer organization's compliance policy. Routing to the appropriate team or inbox within a customer environment is handled automatically based on configured ownership and policy rules.

Available

Patch

A patched-image rebuild at versions 26.4.3 or 26.5.0 becomes available on HarborGuard as soon as images referencing an affected version of Comet Backup are identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Comet Backup server's signing module over the network; the service must be exposed to the attacker's network path.
AuthenticationNot required
No pre-existing account is required to begin the attack; the CVE vector specifies PR:N, meaning privilege escalation originates from publicly accessible tenant administrator provisioning rather than a credential the attacker must already hold. Note: the vulnerability description states the attacker acts as an authenticated tenant administrator, so gaining that role is part of the attack path.
Victim interactionNot required
No user action or social engineering is needed; exploitation is fully attacker-driven with no required victim interaction (UI:N).
Attack complexityDetail
Attack complexity is rated High (AC:H), meaning the attacker must navigate specific environmental conditions or timing constraints, such as particular server state or configuration, rather than launching a simple, always-reliable exploit.

Blast Radius

The attacker executes arbitrary code in the context of a privileged user on the Comet Backup server, gaining full command execution over the host.
Confidentiality impact is High: the attacker reads backup data, stored credentials, configuration secrets, and any customer records accessible to the privileged process.
Integrity impact is High: the attacker modifies or poisons backup archives, agent configurations, and persisted server data on the affected host.
Availability impact is High with scope change (S:C): the attacker can crash or disable the backup server and disrupt connected backup agent devices, taking down backup coverage for all tenants on the affected instance.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-32999 is active for any image containing an affected version of Comet Backup (all releases before 26.4.3 in the 26.4.x line or before 26.5.0 in the 26.5.x line). Given the Critical CVSS score of 9.1 and the scope-change impact, this CVE is prioritized at the highest triage tier. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the fixed version (26.4.3 or 26.5.0), run a regression test pass, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before merging, HarborGuard queues the rebuild and surfaces the PR for human review. Until a rebuild is deployed, customers can reduce exposure by applying network policy controls that restrict inbound access to the Comet Backup server's signing endpoint to known, trusted IP ranges only.

See how HarborGuard automates this

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 26.4.3
Affected Products: 1

Fix available

26.4.326.5.0

Affected packages

WebPros / Comet Backup
< 26.4.3 (from 0) · < 26.5.0 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

support.cometbackup.com

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available