Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-40141

BeyondTrust Remote Support / PRA authenticated authorization bypass

A critical (CVSS 9.9) authenticated authorization-bypass flaw in a web-application component of BeyondTrust Remote Support and Privileged Remote Access. Insufficient input validation may let an authenticated attacker with limited privileges reach data or resources beyond their authorization scope. Exploitation is restricted to accounts with specific permissions. Patched in the 2026-07-06 coordinated release.

cat cve-2026-40141.json
Vendor
BeyondTrust
Product
Remote Support (RS) and Privileged Remote Access (PRA)
CVSS
9.9
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-40141 is an authenticated authorization-bypass flaw in a web-application component of BeyondTrust Remote Support and Privileged Remote Access. Per NVD’s record: “insufficient validation of user-supplied input may allow an authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope. Exploitation is restricted to accounts with specific permissions.” NVD scores it CVSS 9.9 (critical).

The high score reflects the impact — full access to unintended data on an appliance that brokers vendor and third-party privileged sessions into an enterprise — combined with a low attack complexity once the required permission is held. The “restricted to accounts with specific permissions” caveat means the flaw is not exploitable by every appliance user, but on a shared multi-tenant support-vendor deployment, the accounts that hold those permissions include the exact roles an attacker would target with prior credential compromise or a phishing-earned foothold.

Advisory context

CVE-2026-40141 is one of four vulnerabilities BeyondTrust disclosed and patched in the same 2026-07-06 coordinated release, alongside CVE-2026-40138 (pre-auth auth bypass, CVSS 8.1 high per NVD), CVE-2026-40139 (pre-auth auth bypass, CVSS 9.8 critical), and CVE-2026-40140 (pre-auth DoS, CVSS 7.5 high).

What to do

Apply BeyondTrust’s 2026-07-06 patches. Even for organizations confident in their permission model, a 9.9-score authenticated bypass is not a “we’ll patch next window” item. See the article writeup for the priority-ordered response across all four flaws.

NVD’s canonical record for this CVE is here.