Cyber Resilience

CVE-2026-40636

Critical

Published: 11 May 2026

Published
11 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 12.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40636 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Dell Elastic Cloud Storage. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains a use of hard-coded credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to filesystem access for attacker.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Hard-coded credentials (CWE-798) directly constitute unsecured credentials stored in files or binaries; local unauthenticated attacker can abuse them for filesystem access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28261Same product: Dell Elastic Cloud Storage
CVE-2026-35157Same product: Dell Elastic Cloud Storage
CVE-2026-22273Same product: Dell Elastic Cloud Storage
CVE-2026-22271Same product: Dell Elastic Cloud Storage
CVE-2026-22769Same vendor: Dell
CVE-2025-21102Same vendor: Dell
CVE-2024-48831Same vendor: Dell
CVE-2025-21111Same vendor: Dell
CVE-2026-21417Same vendor: Dell
CVE-2026-23775Same vendor: Dell

Affected Assets

dell
elastic cloud storage
3.8.1.0 — 4.3.0.0
dell
objectscale
≤ 4.3.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

addresses: CWE-798

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

addresses: CWE-798

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

addresses: CWE-798

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

addresses: CWE-798

Planned investment enables secure credential storage and management systems instead of hard-coded credentials.

References