CVE-2026-51947: An issue in Pivotal CRM 6
An issue in Pivotal CRM 6.6.4.08 and systems using patch-ghi-15381-cwe-502-20251225.zip (fixed in Pivotal CRM 6.6.5.10 and Patch_CWE502_20260316.zip) allows a remote attacker to execute arbitrary code via the Pivotal.Engine.Client.Services.Conversion.dll component. NOTE: this issue exists because of an incomplete fix for CVE-2026-39253.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Remote code execution via insecure deserialization in Pivotal CRM 6.6.4.08 and systems running patch-ghi-15381-cwe-502-20251225.zip. The vulnerability is reachable over the network with no authentication and no user interaction required, through the Pivotal.Engine.Client.Services.Conversion.dll component. Successful exploitation gives an attacker full remote code execution on the affected host. Note: this is an incomplete fix for CVE-2026-39253, meaning prior mitigations are insufficient. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment fix versions are published upstream.
HarborGuard Coverage
Detection for CVE-2026-51947 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images, in connected registries and CI/CD pipelines.
AvailableTriage is available using the CVSS v3.1 score of 9.8 (CRITICAL), weighted against each environment's compliance policy to set priority. Routing to the appropriate team inbox within each customer organization is available automatically based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed fix appears. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically once an upstream patch is confirmed.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network; an attacker must be able to reach it via a standard network connection.
- AuthenticationNot required
No credentials or session token are needed; the attacker can target the service as an unauthenticated user.
- Victim interactionNot required
No user action such as clicking a link or opening a file is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout knowledge, or special environmental state is required.
Blast Radius
- Attacker executes arbitrary operating system commands on the host running the Pivotal CRM service.
- All data accessible to the CRM process is readable, including stored customer records, credentials, and session tokens.
- Attacker can write, modify, or delete persisted data managed by the CRM, including database rows and configuration files.
- The affected service and dependent processes can be crashed or made permanently unavailable.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-51947, HarborGuard continuously re-evaluates the advisory on every ingest cycle. When Pivotal publishes a confirmed fix (a new release beyond 6.6.4.08 or a replacement patch superseding patch-ghi-15381-cwe-502-20251225.zip), a patched-image rebuild at that version becomes available immediately. For customers who opt into auto-remediation, the rebuild is followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls available within HarborGuard include network-policy annotations that can isolate the affected container from unauthenticated inbound traffic, egress filtering rules to limit blast radius if the host is compromised, and flagging of the image in any compliance gate that blocks promotion of images carrying unresolved CRITICAL-severity CVEs. This CVE is an incomplete fix for CVE-2026-39253, so environments that applied the prior patch should treat themselves as still exposed until the new upstream fix is confirmed and rebuilt.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H