Cyber Resilience

CVE-2026-22266

Medium

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0027 19.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22266 is a medium-severity Improper Neutralization of Expression/Command Delimiters (CWE-146) vulnerability in Dell Powerprotect Data Manager. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-22266 is an Improper Verification of Source of a Communication Channel vulnerability (CWE-146) affecting the REST API in Dell PowerProtect Data Manager versions prior to 19.22. This flaw allows inadequate validation of communication channel origins, potentially enabling unauthorized actions within the application's security boundaries. The vulnerability received a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L), classifying it as medium severity due to its network accessibility and low complexity, though requiring high privileges.

A high-privileged attacker with remote access can exploit this vulnerability to bypass protection mechanisms. Exploitation does not require user interaction and maintains an unchanged impact scope, potentially resulting in low-level impacts to confidentiality, integrity, and availability, such as limited unauthorized data access, modification, or disruption within the affected component.

Dell's security advisory DSA-2026-046, available at https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities, addresses this and other vulnerabilities in PowerProtect Data Manager with a security update to version 19.22 or later. Security practitioners should review the advisory for patching instructions and apply updates promptly to mitigate risks.

EU & UK References

Vulnerability details

Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct mapping to exploitation of a vulnerable public-facing REST API allowing bypass of source verification protections.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22267Same product: Dell Powerprotect Data Manager
CVE-2025-26336Same vendor: Dell
CVE-2025-43728Same vendor: Dell
CVE-2025-43995Same vendor: Dell
CVE-2025-22475Same vendor: Dell
CVE-2024-49601Same vendor: Dell
CVE-2026-27101Same vendor: Dell
CVE-2026-26944Same vendor: Dell
CVE-2025-24382Same vendor: Dell
CVE-2026-26360Same vendor: Dell

Affected Assets

dell
powerprotect data manager
≤ 19.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access decisions on the REST API, blocking the protection-mechanism bypass that results from missing source verification.

prevent

Enforces information-flow rules that validate the origin of each communication channel before allowing REST API actions.

prevent

Requires cryptographic or protocol-level session authenticity, mitigating the improper source verification flaw in the REST channel.

References