PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9089 ConnectWise CVE debrief

CVE-2026-9089 is a high-severity authenticity verification weakness in the ConnectWise Automate Agent. According to the vendor bulletin referenced by NVD, the agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. The issue is addressed in Automate 2026.5.

Vendor
ConnectWise
Product
Automate
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Organizations running ConnectWise Automate, especially teams that manage or rely on the Automate Agent across endpoints. Security and operations teams responsible for patching, agent lifecycle management, and plugin distribution should treat this as a priority.

Technical summary

The supplied sources describe a CWE-494-style problem: the Automate Agent does not fully verify the authenticity of components it retrieves for plugin loading and self-update operations. That weakens trust in the update/component delivery path and can allow untrusted components to be accepted by the agent. NVD lists the issue with CVSS v3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and a score of 8.8, indicating potentially broad impact if the trust boundary is bypassed.

Defensive priority

High. The CVSS score is 8.8, the weakness is in an agent that handles plugins and updates, and the vendor states the issue is fixed in Automate 2026.5. Prioritize patching exposed or widely deployed agents first.

Recommended defensive actions

  • Upgrade ConnectWise Automate to version 2026.5 or later as directed in the vendor bulletin.
  • Identify all systems running the Automate Agent and confirm which versions are deployed before and after remediation.
  • Review plugin and self-update distribution paths for unexpected changes or unapproved components.
  • Monitor agent behavior and logs for unusual update activity, failed verification events, or unexpected plugin loads.
  • If immediate patching is not possible, apply the strongest available compensating controls around agent management and update distribution, and limit exposure of affected systems.

Evidence notes

Primary evidence comes from the ConnectWise security bulletin referenced by NVD and the NVD record itself. The source corpus states that the ConnectWise Automate Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations, and that the issue is addressed in Automate 2026.5. NVD assigns CWE-494 and lists CVSS v3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H with a score of 8.8. The CVE was published and modified on 2026-05-21. No KEV entry is present in the supplied timeline.

Official resources

Published in the CVE/NVD record on 2026-05-21. At the time of the supplied source snapshot, NVD marked the CVE as undergoing analysis. The supplied corpus includes an official ConnectWise bulletin reference and no Known Exploited Vulnerabil