CVE-2026-8381

Vulnerability

A broken access control vulnerability exists in the TeamViewer DEX Platform (On-Premises) prior to version 9.2. Certain backend API endpoints do not correctly enforce server-side authorization checks [1]. This allows an authenticated user with low privileges to access resources and perform actions intended only for higher-privileged roles, including administrative functions. The issue affects all deployments running a version earlier than v9.2 [1].

Exploitation

An attacker needs low-privileged valid credentials for the TeamViewer DEX Platform On-Premises instance. No other user interaction or special network position is required beyond normal authenticated access to the platform. The attacker can directly send crafted requests to the vulnerable backend API endpoints, which fail to verify proper role authorization [1].

Impact

Successful exploitation grants the attacker unauthorized access to administrative or sensitive functionality, potentially leading to disclosure of confidential data, modification of configuration, or privilege escalation within the platform [1]. The exact scope of compromise depends on the specific endpoints accessed but extends to resources reserved for higher-privileged roles.

Mitigation

Update to TeamViewer DEX Platform On-Premises version 9.2 or later, which contains the fix for this vulnerability [1]. The fixed version was released as part of the security bulletin TV-2026-1005. No workarounds are documented; upgrading is the recommended mitigation.