MOVEit Automation Critical Authentication Bypass (CVE-2026-4670)
The National Vulnerability Database has disclosed a critical authentication bypass vulnerability, CVE-2026-4670, affecting Progress Software’s MOVEit Automation. This flaw, categorized as a primary weakness (CWE-305), allows an unauthenticated attacker to bypass authentication mechanisms entirely, gaining unauthorized access.
Rated with a CVSS score of 9.8 (CRITICAL), this vulnerability poses an extreme risk. It impacts MOVEit Automation versions 2025.0.0 before 2025.0.9, 2024.0.0 before 2024.1.8, and all versions prior to 2024.0.0. The ability for an attacker to completely sidestep authentication means they could potentially access sensitive file transfer operations, configurations, and data.
For defenders, this is a red alert. MOVEit Automation is often used for critical, high-volume data transfers, making unauthorized access a direct path to data exfiltration, manipulation, or disruption of business-critical processes. Patching is not optional; it’s an immediate imperative.
What This Means For You
- If your organization uses MOVEit Automation, you must immediately verify your deployed versions against the National Vulnerability Database's advisory for CVE-2026-4670. Prioritize patching to the latest secure versions (2025.0.9 or 2024.1.8, or newer if available) to prevent unauthenticated access. Assume compromise and audit logs for any unusual activity or unauthorized file transfers if you were running affected versions.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-4670 MOVEit Automation Authentication Bypass
title: CVE-2026-4670 MOVEit Automation Authentication Bypass
id: scw-2026-04-30-ai-1
status: experimental
level: critical
description: |
Detects the specific API endpoint and method used in the authentication bypass vulnerability (CVE-2026-4670) in MOVEit Automation. Successful exploitation allows unauthenticated access to the API.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-4670/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/token'
cs-method:
- 'POST'
sc-status:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4670 | Auth Bypass | Progress Software MOVEit Automation |
| CVE-2026-4670 | Auth Bypass | MOVEit Automation versions from 2025.0.0 before 2025.0.9 |
| CVE-2026-4670 | Auth Bypass | MOVEit Automation versions from 2024.0.0 before 2024.1.8 |
| CVE-2026-4670 | Auth Bypass | MOVEit Automation versions prior to 2024.0.0 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 30, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
MOVEit Automation Privilege Escalation (CVE-2026-5174)
CVE-2026-5174 — Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0...
CVE-2026-7500 — When Keycloak is started with
CVE-2026-7500 — When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully...
Pallets Click CVE-2026-7246: Command Injection from Unprivileged Accounts
CVE-2026-7246 — Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from...