CVE-2026-21708
Published: 12 March 2026
Summary
CVE-2026-21708 is a critical-severity SQL Injection (CWE-89) vulnerability in Veeam Veeam Backup \& Replication. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 38.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21708 is a SQL injection vulnerability (CWE-89) that enables a Backup Viewer role to achieve remote code execution as the postgres user. The flaw affects Veeam backup software components that expose this role and interact with the postgres database, as indicated by the associated Veeam knowledge base references. It carries a CVSS 3.1 score of 9.9, reflecting network attack vector, low complexity, low privileges required, and changed scope with high impact on confidentiality and integrity.
An attacker who obtains or is granted Backup Viewer credentials can exploit the issue over the network to run arbitrary commands as the postgres user, resulting in broad database and host-level access within the affected environment.
Advisory and patch details are documented in the Veeam knowledge base articles at https://www.veeam.com/kb4830 and https://www.veeam.com/kb4831. The EPSS score remains low, with a current value of 0.0132 and a peak of 0.0152.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11597
Vulnerability details
A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Low-privileged (Backup Viewer) remote code execution as postgres user directly enables exploitation for privilege escalation (T1068) and exploitation of remote services (T1210).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the postgres-interfacing components, blocking the SQL injection that enables Backup Viewer RCE.
Enforces least privilege so the Backup Viewer role cannot execute arbitrary commands or access postgres-level operations even if credentials are obtained.
Ensures the Backup Viewer role's permitted actions are strictly enforced at the application boundary, preventing unauthorized escalation to postgres RCE.