HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35065Published Modified CNA dell

CVE-2026-35065: Dell PowerFlex Manager, version(s) [Versions], contain(s) a Missing Authentication for Critical Function vulnerability

Dell PowerFlex Manager, version(s) [Versions], contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
4.5.5.2 or later
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing authentication for a critical function in Dell PowerFlex Manager allows an unauthenticated attacker on the same network segment to invoke privileged operations without providing any credentials. The vulnerability is reachable from an adjacent network (such as a LAN or shared management VLAN) and requires no user interaction or prior authentication. Successful exploitation gives the attacker full code execution, the ability to read or alter managed infrastructure data, and the ability to crash the service. Patched-image rebuilds at versions 4.5.5.2 and 5.1.0.1 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Dell PowerFlex Manager components. Any image running a vulnerable version is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 HIGH and weights it further against each environment's compliance policy, so teams with stricter network-exposure rules see it surfaced at higher urgency. Triage tickets are routed to the relevant team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Dell PowerFlex Manager 4.5.5.2 or 5.1.0.1 becomes available on HarborGuard as soon as the fix versions are confirmed in upstream advisories. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityDetail

    The vulnerable service must be reachable from an adjacent network such as a local LAN, shared management VLAN, or VPN segment; remote internet exposure is not required but adjacency is the key prerequisite.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerability is precisely that a critical function is exposed without any authentication gate.

  • Victim interactionNot required

    The attacker sends crafted requests directly to the service and no user action or victim click is required to trigger exploitation.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors need to be satisfied.

Blast Radius

  • Attacker executes arbitrary code or scripts on the PowerFlex Manager host, gaining a foothold inside the infrastructure management plane.
  • Attacker reads sensitive configuration data, credentials, and operational state managed by PowerFlex Manager.
  • Attacker modifies infrastructure configuration or persisted management data, potentially altering storage or compute provisioning.
  • Attacker crashes the PowerFlex Manager service, disrupting orchestration and management operations for attached infrastructure.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image found to carry a vulnerable Dell PowerFlex Manager version, covering both pulled upstream images and custom-built images. Given the CVSS 8.8 HIGH rating and the adjacent-network, no-auth attack path, this CVE is prioritized at high urgency in policy-weighted triage. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the fixed version (4.5.5.2 for the 4.x line or 5.1.0.1 for the 5.x line), runs a regression test pass against the rebuilt image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not permitted by compliance policy, the finding appears in the triage queue with fix-version details so engineers can act manually. Until patching is applied, consider isolating PowerFlex Manager to a dedicated management VLAN with strict ingress controls so that adjacency requirements limit the pool of potential attackers.

See how HarborGuard automates this

Fix available

4.5.5.2 or later5.1.0.1 or later
Affected packages
  • Dell / PowerFlex
    < 5.1.0.1 or later (from 0) · < 4.5.5.2 or later (from 0)
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References