ConnectWise Automate security bypass
What happened
- ConnectWise said on May 21 it released Automate 2026.5 to fix a flaw that could let attackers bypass integrity checks and run code. - The key detail is CVE-2026-9089, rated 8.8, which affects Automate versions before 2026.5 in plugin loading and self-update paths. - ConnectWise directs customers to update to Automate 2026.5 through its release notes and security bulletin.
Why it matters
ConnectWise disclosed on May 21 that it had released Automate 2026.5 to address a security flaw in the remote monitoring and management platform’s agent update and plugin-loading processes. The company said components obtained during those operations could, under certain conditions, be processed without full integrity verification before loading. Security news outlets Cyber Security News and GBHackers identified the issue as CVE-2026-9089 and said it carried a CVSS score of 8.8. ### What exactly did ConnectWise say was wrong? ConnectWise said in its May 21 security bulletin that the issue affected “the agent’s plugin loading and self-update processes” and that “components obtained during these operations may be processed without full integrity verification prior to loading.” The company said Automate 2026.5 adds “enhanced integrity verification for all agent components.” (connectwise.com) Cyber Security News and GBHackers described the flaw as a security-check bypass that could enable malicious code execution if an attacker could take advantage of those weakened validation steps. Both reports said versions before 2026.5 were affected. ### Why does the plugin and self-update path matter so much? (connectwise.com) ConnectWise Automate is an RMM product, which means it is used to administer and automate actions across many managed endpoints. A weakness in the agent update path matters because that path is trusted by design: it is how software and instructions are distributed at scale. That makes integrity verification a key control, because the platform is expected to decide what code should run on downstream systems. (cybersecuritynews.com) This is an inference based on the product’s role and the nature of the flaw. ConnectWise’s own bulletin does not say the flaw was being actively exploited, and the company’s public bulletin page says it generally discloses issues after analysis and after fixes or mitigations are available. ### Which versions are affected, and what is the fix? Cyber Security News and GBHackers said CVE-2026-9089 affects ConnectWise Automate releases before version 2026.5. (connectwise.com) ConnectWise’s bulletin says the fix is included in Automate 2026.5. ConnectWise’s release-notes page directs customers to the product updates page to download a new version of Automate and update their systems. (connectwise.com) The company also maintains the 2026 release-notes section for current Automate changes. ### Is this the first recent Automate security issue? ConnectWise published another Automate bulletin on April 20 for version 2026.4 covering a different issue in the Solution Center, where some client-to-server communications could occur without transport-layer encryption. (connectwise.com) In October 2025, the company issued Automate 2025.9 to address flaws that could expose agent communications and updates to interception or tampering in some configurations. (docs.connectwise.com) Those earlier bulletins involved different technical issues, but together they show ConnectWise has issued multiple Automate security fixes over the past year touching update, communication and trust paths inside the product. That is a factual summary of the bulletin history on ConnectWise’s site. ### What should customers watch for next? (connectwise.com) ConnectWise’s next concrete step for customers is the Automate 2026.5 update referenced in the May 21 bulletin and linked release notes. Customers looking for any follow-up can monitor the company’s security bulletins page and the Automate release-notes page for additional guidance or later fixes. (connectwise.com 1) (connectwise.com 2)
Key numbers
- ConnectWise said on May 21 it released Automate 2026.5 to fix a flaw that could let attackers bypass integrity checks and run code.
- The key detail is CVE-2026-9089, rated 8.8, which affects Automate versions before 2026.5 in plugin loading and self-update paths.
- ConnectWise directs customers to update to Automate 2026.5 through its release notes and security bulletin.
- ConnectWise disclosed on May 21 that it had released Automate 2026.5 to address a security flaw in the remote monitoring and management platform’s agent update and plugin-loading processes.
What happens next
- ConnectWise disclosed on May 21 that it had released Automate 2026.5 to address a security flaw in the remote monitoring and management platform’s agent update and plugin-loading processes.
- The company said components obtained during those operations could, under certain conditions, be processed without full integrity verification before loading.
- That makes integrity verification a key control, because the platform is expected to decide what code should run on downstream systems.
Quick answers
What happened in ConnectWise Automate security bypass?
ConnectWise said on May 21 it released Automate 2026.5 to fix a flaw that could let attackers bypass integrity checks and run code. The key detail is CVE-2026-9089, rated 8.8, which affects Automate versions before 2026.5 in plugin loading and self-update paths. ConnectWise directs customers to update to Automate 2026.5 through its release notes and security bulletin.
Why does ConnectWise Automate security bypass matter?
ConnectWise disclosed on May 21 that it had released Automate 2026.5 to address a security flaw in the remote monitoring and management platform’s agent update and plugin-loading processes. The company said components obtained during those operations could, under certain conditions, be processed without full integrity verification before loading. Security news outlets Cyber Security News and GBHackers identified the issue as CVE-2026-9089 and said it carried a CVSS score of 8.8. What exactly did ConnectWise say was wrong? ConnectWise said in its May 21 security bulletin that the issue affected “the agent’s plugin loading and self-update processes” and that “components obtained during these operations may be processed without full integrity verification prior to loading.” The company said Automate 2026.5 adds “enhanced integrity verification for all agent components.” (connectwise.com) Cyber Security News and GBHackers described the flaw as a security-check bypass that could enable malicious code execution if an attacker could take advantage of those weakened validation steps. Both reports said versions before 2026.5 were affected. Why does the plugin and self-update path matter so much? (connectwise.com) ConnectWise Automate is an RMM product, which means it is used to administer and automate actions across many managed endpoints. A weakness in the agent update path matters because that path is trusted by design: it is how software and instructions are distributed at scale. That makes integrity verification a key control, because the platform is expected to decide what code should run on downstream systems. (cybersecuritynews.com) This is an inference based on the product’s role and the nature of the flaw. ConnectWise’s own bulletin does not say the flaw was being actively exploited, and the company’s public bulletin page says it generally discloses issues after analysis and after fixes or mitigations are available. Which versions are affected, and what is the fix? Cyber Security News and GBHackers said CVE-2026-9089 affects ConnectWise Automate releases before version 2026.5. (connectwise.com) ConnectWise’s bulletin says the fix is included in Automate 2026.5. ConnectWise’s release-notes page directs customers to the product updates page to download a new version of Automate and update their systems. (connectwise.com) The company also maintains the 2026 release-notes section for current Automate changes. Is this the first recent Automate security issue? ConnectWise published another Automate bulletin on April 20 for version 2026.4 covering a different issue in the Solution Center, where some client-to-server communications could occur without transport-layer encryption. (connectwise.com) In October 2025, the company issued Automate 2025.9 to address flaws that could expose agent communications and updates to interception or tampering in some configurations. (docs.connectwise.com) Those earlier bulletins involved different technical issues, but together they show ConnectWise has issued multiple Automate security fixes over the past year touching update, communication and trust paths inside the product. That is a factual summary of the bulletin history on ConnectWise’s site. What should customers watch for next? (connectwise.com) ConnectWise’s next concrete step for customers is the Automate 2026.5 update referenced in the May 21 bulletin and linked release notes. Customers looking for any follow-up can monitor the company’s security bulletins page and the Automate release-notes page for additional guidance or later fixes. (connectwise.com 1) (connectwise.com 2)
