CVE-2026-22266
Published: 19 February 2026
Summary
CVE-2026-22266 is a medium-severity Improper Neutralization of Expression/Command Delimiters (CWE-146) vulnerability in Dell Powerprotect Data Manager. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-22266 is an Improper Verification of Source of a Communication Channel vulnerability (CWE-146) affecting the REST API in Dell PowerProtect Data Manager versions prior to 19.22. This flaw allows inadequate validation of communication channel origins, potentially enabling unauthorized actions within the application's security boundaries. The vulnerability received a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), classifying it as medium severity due to its network accessibility and low complexity, though requiring high privileges.
A high-privileged attacker with remote access can exploit this vulnerability to bypass protection mechanisms. Exploitation does not require user interaction and maintains an unchanged impact scope, potentially resulting in low-level impacts to confidentiality, integrity, and availability, such as limited unauthorized data access, modification, or disruption within the affected component.
Dell's security advisory DSA-2026-046, available at https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities, addresses this and other vulnerabilities in PowerProtect Data Manager with a security update to version 19.22 or later. Security practitioners should review the advisory for patching instructions and apply updates promptly to mitigate risks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8337
Vulnerability details
Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to exploitation of a vulnerable public-facing REST API allowing bypass of source verification protections.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access decisions on the REST API, blocking the protection-mechanism bypass that results from missing source verification.
Enforces information-flow rules that validate the origin of each communication channel before allowing REST API actions.
Requires cryptographic or protocol-level session authenticity, mitigating the improper source verification flaw in the REST channel.