HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-51947Published Modified CNA mitre

CVE-2026-51947: An issue in Pivotal CRM 6

An issue in Pivotal CRM 6.6.4.08 and systems using patch-ghi-15381-cwe-502-20251225.zip (fixed in Pivotal CRM 6.6.5.10 and Patch_CWE502_20260316.zip) allows a remote attacker to execute arbitrary code via the Pivotal.Engine.Client.Services.Conversion.dll component. NOTE: this issue exists because of an incomplete fix for CVE-2026-39253.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Remote code execution via insecure deserialization in Pivotal CRM 6.6.4.08 and systems running patch-ghi-15381-cwe-502-20251225.zip. The vulnerability is reachable over the network with no authentication and no user interaction required, through the Pivotal.Engine.Client.Services.Conversion.dll component. Successful exploitation gives an attacker full remote code execution on the affected host. Note: this is an incomplete fix for CVE-2026-39253, meaning prior mitigations are insufficient. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment fix versions are published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-51947 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images, in connected registries and CI/CD pipelines.

Available
Triage

Triage is available using the CVSS v3.1 score of 9.8 (CRITICAL), weighted against each environment's compliance policy to set priority. Routing to the appropriate team inbox within each customer organization is available automatically based on configured ownership rules.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed fix appears. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically once an upstream patch is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable component is exposed over the network; an attacker must be able to reach it via a standard network connection.

  • AuthenticationNot required

    No credentials or session token are needed; the attacker can target the service as an unauthenticated user.

  • Victim interactionNot required

    No user action such as clicking a link or opening a file is needed to trigger the vulnerability.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, memory layout knowledge, or special environmental state is required.

Blast Radius

  • Attacker executes arbitrary operating system commands on the host running the Pivotal CRM service.
  • All data accessible to the CRM process is readable, including stored customer records, credentials, and session tokens.
  • Attacker can write, modify, or delete persisted data managed by the CRM, including database rows and configuration files.
  • The affected service and dependent processes can be crashed or made permanently unavailable.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-51947, HarborGuard continuously re-evaluates the advisory on every ingest cycle. When Pivotal publishes a confirmed fix (a new release beyond 6.6.4.08 or a replacement patch superseding patch-ghi-15381-cwe-502-20251225.zip), a patched-image rebuild at that version becomes available immediately. For customers who opt into auto-remediation, the rebuild is followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls available within HarborGuard include network-policy annotations that can isolate the affected container from unauthenticated inbound traffic, egress filtering rules to limit blast radius if the host is compromised, and flagging of the image in any compliance gate that blocks promotion of images carrying unresolved CRITICAL-severity CVEs. This CVE is an incomplete fix for CVE-2026-39253, so environments that applied the prior patch should treat themselves as still exposed until the new upstream fix is confirmed and rebuilt.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H