PatchSiren cyber security CVE debrief
CVE-2026-8488 Progress Software CVE debrief
CVE-2026-8488 is a medium-severity availability issue in Progress Software MOVEit Automation. The published record describes an allocation-of-resources-without-limits-or-throttling weakness (CWE-770), which can lead to excessive allocation and service degradation if left unpatched. NVD lists the issue as affecting MOVEit Automation before 2025.0.11 and from 2025.1.0 before 2025.1.7.
- Vendor
- Progress Software
- Product
- MOVEit Automation
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Administrators and security teams running Progress MOVEit Automation should prioritize this advisory, especially where the service is internet-facing or where availability is business-critical. The published CVSS vector indicates network access with low privileges required and an availability impact, so even non-admin users with access to the service may be relevant to risk assessment.
Technical summary
NVD records CVE-2026-8488 as a CWE-770 resource-management issue in MOVEit Automation. The official vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, indicating network reachability, low required privileges, no user interaction, and an availability-only impact. The affected ranges cited in the record are before 2025.0.11 and 2025.1.0 through 2025.1.6.
Defensive priority
Moderate: patching is recommended because the issue can affect availability, but the published severity is medium and the impact is limited to denial-of-service style resource exhaustion rather than confidentiality or integrity loss.
Recommended defensive actions
- Upgrade MOVEit Automation to 2025.0.11 or later if you are on the 2025.0.x line.
- Upgrade MOVEit Automation to 2025.1.7 or later if you are on the 2025.1.x line.
- Confirm whether your deployment falls within the affected version ranges before planning maintenance.
- Review the vendor release notes referenced by NVD to validate the fixed build for your installation.
- Monitor the service for unusual CPU, memory, disk, or worker-queue growth while unpatched.
- Apply standard access controls and least-privilege practices to reduce exposure while remediation is underway.
Evidence notes
The NVD record for CVE-2026-8488 cites a Progress Software release-notes page as its reference and assigns CWE-770. The supplied source data also includes the affected-version ranges and the CVSS vector. Vendor attribution is based on the referenced Progress documentation and should be treated as confirmed only after checking the vendor advisory directly.
Official resources
-
CVE-2026-8488 CVE record
CVE.org
-
CVE-2026-8488 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed in the CVE/NVD record on 2026-05-20. The NVD entry was still marked 'Undergoing Analysis' in the supplied data, and no KEV listing is indicated in the source corpus.