CVE-2026-35066: Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Access Control vulnerability
Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 4.5.5.2 or later
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An improper access control vulnerability affects Dell PowerFlex Manager in versions prior to 4.5.5.2 and 5.1.0.1. The flaw is reachable over the network by any low-privileged authenticated user, requiring no victim interaction. Successful exploitation disrupts the availability of the PowerFlex Manager service, causing a denial of service. A patched-image rebuild at versions 4.5.5.2 and 5.1.0.1 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-35066 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Dell PowerFlex Manager. Any image running a vulnerable version of PowerFlex Manager is flagged automatically as it passes through registry scans or CI/CD pipeline checks.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within the customer org based on image ownership and policy configuration.
AvailableA patched-image rebuild at Dell PowerFlex Manager versions 4.5.5.2 or 5.1.0.1 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the PowerFlex Manager service over the network; local access is not sufficient.
- AuthenticationRequired
Any low-privilege account is sufficient; no administrative credentials are needed.
- Victim interactionNot required
No user action or social engineering is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or specific environmental dependencies required.
Blast Radius
- The attacker crashes or renders the Dell PowerFlex Manager service unresponsive, interrupting management-plane operations for the PowerFlex infrastructure it controls.
- Integrity impact is limited; the attacker can make minor unauthorized modifications to data exposed through the access control gap.
- Confidentiality is not impacted; stored credentials, configuration data, and customer records are not readable through this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: detection, triage, and patched-image rebuilds for CVE-2026-35066 are all capability-ready. For environments running Dell PowerFlex Manager below version 4.5.5.2 or 5.1.0.1, HarborGuard can build a remediated image at the fixed version. For customers who opt into auto-remediation, the typical flow includes a rebuild, a regression test run, and a PR opened against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, HarborGuard surfaces the finding with full CVSS context and routes it to the designated owner. Until a rebuilt image is deployed, consider applying network-policy controls to restrict PowerFlex Manager access to known, authorized clients only, reducing the pool of low-privileged accounts that can reach the vulnerable endpoint.
Fix available
- Dell / PowerFlex< 5.1.0.1 or later (from 0) · < 4.5.5.2 or later (from 0)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H