CVE-2026-7858: Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x
A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x could lead to an unauthenticated remote code execution.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 5
HarborGuard Analysis
Synopsis
A deserialization of untrusted data vulnerability affects Teamwork Cloud (No Magic Release 2022x through 2026x) and Magic Collaboration Studio (CATIA Magic Release 2022x through 2026x) from Dassault Systemes. The vulnerability is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable from any network position that can reach the service. Successful exploitation grants an attacker full remote code execution on the affected host. No fix versions have been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available the moment Dassault Systemes releases a patch.
HarborGuard Coverage
Detection for CVE-2026-7858 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that package Teamwork Cloud or Magic Collaboration Studio components. Any image in a connected registry or CI pipeline that carries an affected version of these products is flagged automatically.
AvailableHarborGuard surfaces this vulnerability with its CVSS v3.1 score of 9.8 (Critical), weighted further against each customer environment's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules, so the right engineers see the alert without manual triage.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the Dassault Systemes advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without requiring manual intervention once a patch becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker can send malicious serialized data from any network-accessible position without requiring LAN or physical proximity.
- AuthenticationNot required
No credentials or session token of any privilege level are needed to trigger the vulnerability.
- Victim interactionNot required
The attacker does not need to social-engineer any user; exploitation is fully server-side with no required action from a logged-in user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and repeatable with no race conditions, memory-layout dependencies, or other environmental factors required.
Blast Radius
- An attacker executes arbitrary code as the process user on the host running Teamwork Cloud or Magic Collaboration Studio.
- All data accessible to that process, including model files, collaboration artifacts, and stored credentials, is readable by the attacker.
- The attacker can write or delete files, modify persisted model data, and alter application state on the compromised host.
- The service can be crashed or made unavailable, disrupting collaborative engineering workflows that depend on it.
How HarborGuard Handles This
Available on HarborGuard: since no upstream patch exists for CVE-2026-7858 as of publication, HarborGuard continuously monitors the Dassault Systemes advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers who opt into auto-remediation, that rebuild triggers a regression-test run and opens a PR against affected workloads with no manual steps required. In the interim, compensating controls are worth considering: network-policy isolation to restrict inbound access to Teamwork Cloud and Magic Collaboration Studio endpoints to trusted IP ranges only, egress filtering to limit what the process can reach if it is compromised, and feature-flag or deployment-level gating to disable the affected service in environments where it is not actively required. HarborGuard will surface the patched rebuild as soon as the upstream fix is published, and the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled, once a fix version exists.
- Dassault Systèmes / Teamwork Cloud - Standard Edition≤ No Magic Release 2022x Refresh2 HF3 · ≤ No Magic Release 2024x Refresh3 HF1 · ≤ No Magic Release 2026x Golden HF2
- Dassault Systèmes / Teamwork Cloud - Business Edition≤ No Magic Release 2022x Refresh2 HF3 · ≤ No Magic Release 2024x Refresh3 HF1 · ≤ No Magic Release 2026x Golden HF2
- Dassault Systèmes / Teamwork Cloud - Business Pro Edition≤ No Magic Release 2022x Refresh2 HF3 · ≤ No Magic Release 2024x Refresh3 HF1 · ≤ No Magic Release 2026x Golden HF2
- Dassault Systèmes / Teamwork Cloud - Enterprise Edition≤ No Magic Release 2022x Refresh2 HF3 · ≤ No Magic Release 2024x Refresh3 HF1 · ≤ No Magic Release 2026x Golden HF2
- Dassault Systèmes / Magic Collaboration Studio≤ CATIA Magic Release 2022x Refresh2 HF3 · ≤ CATIA Magic Release 2024x Refresh3 HF1 · ≤ CATIA Magic Release 2026x Golden HF2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H