Skip to content
feed: live
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2026-40138

BeyondTrust Remote Support / PRA pre-auth authentication bypass

A pre-authentication authentication-bypass flaw in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). Improper validation of authentication data may let a network-positioned attacker bypass access controls and reach appliance accounts, including elevated ones. Vendor labels the flaw "critical" in its advisory; NVD scores it CVSS 8.1 (high). Patched in the 2026-07-06 coordinated release; exploitation requires a specific authentication configuration to be enabled.

cat cve-2026-40138.json
Vendor
BeyondTrust
Product
Remote Support (RS) and Privileged Remote Access (PRA)
CVSS
8.1
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-40138 is a pre-authentication authentication-bypass flaw in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). Per NVD’s record, “improper validation of authentication data may allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. Exploitation requires a specific authentication configuration to be enabled.”

Severity note

BeyondTrust’s advisory describes CVE-2026-40138 as a “critical pre-authentication vulnerability.” NVD’s canonical CVSS calculation lands at 8.1 (high) rather than critical, driven by the specific-configuration prerequisite for exploitation. Both labels appear in press coverage — this site defers to NVD’s score for the severity badge and calls out the vendor’s own framing in prose. Either way, the flaw is a pre-auth bypass on an appliance whose entire purpose is gated privileged access, and it warrants immediate patching where the affected configuration is in use.

Advisory context

CVE-2026-40138 is one of four vulnerabilities BeyondTrust disclosed and patched in a single coordinated release on 2026-07-06, alongside CVE-2026-40139 (pre-auth auth bypass, CVSS 9.8 critical, Remote Support only), CVE-2026-40140 (pre-auth DoS, CVSS 7.5 high), and CVE-2026-40141 (authenticated authorization bypass, CVSS 9.9 critical). NVD published all four on 2026-07-06.

What to do

Apply BeyondTrust’s 2026-07-06 patches to Remote Support and Privileged Remote Access appliances. See the article writeup for a priority-ordered response and the “specific authentication configuration” language that determines who is actually reachable.

NVD’s canonical record for this CVE is here.