Secure Access
by Absolute
CVEs (44)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33447 | Cri | 0.64 | 9.8 | 0.00 | Apr 30, 2026 | CVE-2026-33447 is a buffer overflow in a message parsing function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or denial… | ||
| CVE-2026-33446 | Cri | 0.64 | 9.8 | 0.00 | Apr 30, 2026 | CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a… | ||
| CVE-2024-40872 | Hig | 0.55 | 8.4 | 0.00 | Jul 25, 2024 | There is an elevation of privilege vulnerability in server and client components of Absolute Secure Access prior to version 13.07. Attackers with local access and valid desktop user credentials can elevate their privilege to system level by passing invalid address data to the… | ||
| CVE-2026-33451 | Hig | 0.51 | 7.8 | 0.00 | Apr 30, 2026 | CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system. | ||
| CVE-2026-33449 | Hig | 0.49 | 7.5 | 0.00 | Apr 30, 2026 | CVE-2026-33449 is a buffer overflow in a message handling function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a cryptographically valid message to the client, overwriting a small portion of memory conceivably leading to a … | ||
| CVE-2026-40950 | Med | 0.42 | 6.5 | 0.00 | Apr 30, 2026 | CVE-2026-40950 is a buffer overflow vulnerability in the Secure Access server prior to 14.50. Attackers with control of a modified client can send a specially crafted message to the server and cause a denial of service | ||
| CVE-2025-54603 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users. | ||
| CVE-2024-40875 | Med | 0.38 | — | 0.00 | Dec 20, 2024 | There is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.52. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second… | ||
| CVE-2026-40951 | Med | 0.36 | 5.5 | 0.00 | Apr 30, 2026 | CVE-2026-40951 is a memory corruption vulnerability on Secure Access Windows clients prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and trigger a denial of service. | ||
| CVE-2026-33452 | Med | 0.36 | 5.5 | 0.00 | Apr 30, 2026 | CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to ‘blue screen’ the system. | ||
| CVE-2026-33450 | Med | 0.36 | 5.5 | 0.00 | Apr 30, 2026 | CVE-2026-33450 is an out of bounds read vulnerability in the Secure Access MacOS client prior to 14.50. Attackers with control of a modified server can send a malformed packet to the client causing a denial of service. | ||
| CVE-2025-27705 | Med | 0.36 | — | 0.00 | Mar 19, 2025 | There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the… | ||
| CVE-2025-27704 | Med | 0.36 | — | 0.00 | Mar 19, 2025 | There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the… | ||
| CVE-2026-40949 | Med | 0.29 | 4.4 | 0.00 | Apr 30, 2026 | CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to trigger a denial of service. | ||
| CVE-2026-33448 | Low | 0.21 | 3.3 | 0.00 | Apr 30, 2026 | CVE-2026-33448 is a format string vulnerability in the logging subsystem of Secure Access client for MacOS prior to 14.50. Attackers with control of a modified server can force the client to dump the contents of a small portion of memory to the log files potentially revealing… | ||
| CVE-2026-0519 | 0.00 | — | 0.00 | Jan 17, 2026 | In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. | |||
| CVE-2026-0518 | 0.00 | — | 0.00 | Jan 17, 2026 | CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator’s use of the console. | |||
| CVE-2026-0517 | 0.00 | — | 0.00 | Jan 17, 2026 | CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash | |||
| CVE-2025-59596 | 0.00 | — | 0.00 | Nov 4, 2025 | CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. If a local networking policy is active, attackers on an adjacent network may be able to send a crafted packet and cause the client… | |||
| CVE-2025-59595 | 0.00 | — | 0.00 | Nov 4, 2025 | CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. An attacker can send a specially crafted packet to a server in a non-default configuration and cause the server to crash. |
- risk 0.64cvss 9.8epss 0.00
CVE-2026-33447 is a buffer overflow in a message parsing function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or denial…
- risk 0.64cvss 9.8epss 0.00
CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a…
- risk 0.55cvss 8.4epss 0.00
There is an elevation of privilege vulnerability in server and client components of Absolute Secure Access prior to version 13.07. Attackers with local access and valid desktop user credentials can elevate their privilege to system level by passing invalid address data to the…
- risk 0.51cvss 7.8epss 0.00
CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system.
- risk 0.49cvss 7.5epss 0.00
CVE-2026-33449 is a buffer overflow in a message handling function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a cryptographically valid message to the client, overwriting a small portion of memory conceivably leading to a …
- risk 0.42cvss 6.5epss 0.00
CVE-2026-40950 is a buffer overflow vulnerability in the Secure Access server prior to 14.50. Attackers with control of a modified client can send a specially crafted message to the server and cause a denial of service
- risk 0.42cvss 6.5epss 0.01
An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users.
- risk 0.38cvss —epss 0.00
There is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.52. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second…
- risk 0.36cvss 5.5epss 0.00
CVE-2026-40951 is a memory corruption vulnerability on Secure Access Windows clients prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and trigger a denial of service.
- risk 0.36cvss 5.5epss 0.00
CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to ‘blue screen’ the system.
- risk 0.36cvss 5.5epss 0.00
CVE-2026-33450 is an out of bounds read vulnerability in the Secure Access MacOS client prior to 14.50. Attackers with control of a modified server can send a malformed packet to the client causing a denial of service.
- risk 0.36cvss —epss 0.00
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the…
- risk 0.36cvss —epss 0.00
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the…
- risk 0.29cvss 4.4epss 0.00
CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to trigger a denial of service.
- risk 0.21cvss 3.3epss 0.00
CVE-2026-33448 is a format string vulnerability in the logging subsystem of Secure Access client for MacOS prior to 14.50. Attackers with control of a modified server can force the client to dump the contents of a small portion of memory to the log files potentially revealing…
- CVE-2026-0519Jan 17, 2026risk 0.00cvss —epss 0.00
In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system.
- CVE-2026-0518Jan 17, 2026risk 0.00cvss —epss 0.00
CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator’s use of the console.
- CVE-2026-0517Jan 17, 2026risk 0.00cvss —epss 0.00
CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash
- CVE-2025-59596Nov 4, 2025risk 0.00cvss —epss 0.00
CVE-2025-59596 is a denial-of-service vulnerability in Secure Access Windows client versions 12.0 to 14.10 that is addressed in version 14.12. If a local networking policy is active, attackers on an adjacent network may be able to send a crafted packet and cause the client…
- CVE-2025-59595Nov 4, 2025risk 0.00cvss —epss 0.00
CVE-2025-59595 is an internally discovered denial of service vulnerability in versions of Secure Access prior to 14.12. An attacker can send a specially crafted packet to a server in a non-default configuration and cause the server to crash.
Page 1 of 3