How is CVE-2026-49502 exploited?

Network reachability (info): The attacker must be on an adjacent network such as a shared LAN, VLAN, or VPN segment; direct internet exposure is not required but local network access is necessary. Authentication (not-required): No credentials of any kind are needed; the vulnerability can be reached by any unauthenticated party on the adjacent network. Victim interaction (not-required): The attacker does not need to trick or involve any user; exploitation is fully attacker-driven with no social-engineering step. Attack complexity (info): Exploitation is straightforward and condition-free; no race conditions, memory layout dependencies, or other environmental factors need to align.

What is the impact of CVE-2026-49502?

An attacker reads sensitive information managed by PowerFlex Manager, which may include infrastructure credentials, configuration secrets, and operational metadata. The vulnerability carries a High confidentiality impact (C:H on CVSS), meaning a successful attacker gains broad read access to protected data, not just isolated fragments. Because the scope is changed (S:C), the disclosure can extend beyond the PowerFlex Manager process itself to dependent systems or downstream infrastructure components that trust its data.

Back to search

HIGHCVE-2026-49502Published 2026-06-17Modified 2026-06-17CNA dell

CVE-2026-49502: Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Authentication vulnerability

Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: 4.5.5.2 or later
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper authentication vulnerability in Dell PowerFlex Manager allows an unauthenticated attacker on the same network segment to bypass authentication entirely. Reachable from an adjacent network (such as a shared LAN or VPN), the flaw requires no credentials and no victim interaction to exploit. Successful exploitation gives an attacker access to sensitive information managed by PowerFlex Manager, with no patch-barrier standing in the way. Patched-image rebuilds at versions 4.5.5.2 and 5.1.0.1 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-49502 is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and active CI/CD pipelines, including custom-built images that bundle Dell PowerFlex Manager components.

Available

Triage

HarborGuard scores this CVE at 7.4 HIGH (CVSS v3.1) and weights it against each environment's compliance policy to prioritize routing; affected workloads are flagged and forwarded to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Dell PowerFlex Manager versions 4.5.5.2 or 5.1.0.1 is available through HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on an adjacent network such as a shared LAN, VLAN, or VPN segment; direct internet exposure is not required but local network access is necessary.
AuthenticationNot required
No credentials of any kind are needed; the vulnerability can be reached by any unauthenticated party on the adjacent network.
Victim interactionNot required
The attacker does not need to trick or involve any user; exploitation is fully attacker-driven with no social-engineering step.
Attack complexityDetail
Exploitation is straightforward and condition-free; no race conditions, memory layout dependencies, or other environmental factors need to align.

Blast Radius

An attacker reads sensitive information managed by PowerFlex Manager, which may include infrastructure credentials, configuration secrets, and operational metadata.
The vulnerability carries a High confidentiality impact (C:H on CVSS), meaning a successful attacker gains broad read access to protected data, not just isolated fragments.
Because the scope is changed (S:C), the disclosure can extend beyond the PowerFlex Manager process itself to dependent systems or downstream infrastructure components that trust its data.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against scanned images within minutes of publication, and patched rebuilds at Dell PowerFlex Manager versions 4.5.5.2 and 5.1.0.1 are made available immediately for any customer image found running an affected version. For customers who opt into auto-remediation, HarborGuard performs a full image rebuild at the fixed version, runs a regression test suite, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy or network architecture makes immediate patching impractical, customers can apply compensating controls such as network-policy rules that restrict adjacency to the PowerFlex Manager service, VLAN segmentation to limit which hosts can reach the management plane, and egress filtering to reduce the blast radius of any information that might be exfiltrated.

See how HarborGuard automates this

Fix available

4.5.5.2 or later5.1.0.1 or later

Affected packages

Dell / PowerFlex
< 5.1.0.1 or later (from 0) · < 4.5.5.2 or later (from 0)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

dell.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available