CVE-2026-22762

Vulnerability

Overview

CVE-2026-22762 is an improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in the Security component of Dell Avamar Server and Avamar Virtual Edition. Affected versions range from 19.9 through 19.10 SP1 before the inclusion of CHF338912. The root cause is insufficient validation of user-supplied file paths, enabling an attacker to escape the intended directory and target files outside the restricted scope [1].

Exploitation

Conditions

Exploitation requires a high-privileged attacker with remote network access. The CVSS v3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) indicates that no user interaction is needed and the attack complexity is low. The attacker must already possess elevated privileges (e.g., administrative credentials) within the Avamar environment, but can then leverage the path traversal to specify arbitrary file paths for deletion [1].

Impact

Successful exploitation leads to arbitrary file deletion on the affected system. This can disrupt backup operations, delete critical configuration files, or cause denial of service. The CVSS score of 6.5 (Medium) reflects the high integrity and availability impact, though confidentiality is not directly compromised [1].

Mitigation

Dell has released a fix in Avamar Server and Avamar Virtual Edition version 19.10 SP1 with CHF338912. The Dell PowerProtect DP Series Appliance (IDPA) is also affected and remediated in version 2.7.8 with the same cumulative hotfix. Users should apply the update from the Dell support portal as soon as possible [1].