CVE-2026-4670
Published: 30 April 2026
Summary
CVE-2026-4670 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Progress Moveit Automation. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authentication bypass vulnerability by requiring timely identification, reporting, and correction of software flaws through vendor patches.
Enforces approved authorizations for logical access to system resources, preventing unauthorized actions enabled by the authentication bypass.
Requires unique identification and authentication for organizational users, directly countering authentication bypass weaknesses in the MOVEit Automation software.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authentication bypass in the network-accessible MOVEit Automation application directly enables remote exploitation of a public-facing application without credentials or user interaction.
NVD Description
Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
Deeper analysisAI
CVE-2026-4670 is an authentication bypass vulnerability stemming from a primary weakness (CWE-305) in Progress Software's MOVEit Automation. The issue allows attackers to circumvent authentication mechanisms entirely. It affects MOVEit Automation versions from 2025.0.0 prior to 2025.0.9, from 2024.0.0 prior to 2024.1.8, and all versions prior to 2024.0.0. Published on April 30, 2026, the vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.
An unauthenticated attacker with network access can exploit this vulnerability remotely with low attack complexity and no user interaction required. Exploitation bypasses authentication, enabling the attacker to achieve high impacts on confidentiality, integrity, and availability, such as unauthorized access to sensitive data, modification of configurations, or disruption of automation tasks.
Progress Software has issued a Critical Security Alert Bulletin addressing CVE-2026-4670 (along with CVE-2026-5174), available at https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174. Mitigation requires upgrading to patched versions: 2025.0.9 or later for the 2025 branch and 2024.1.8 or later for the 2024 branch.
Details
- CWE(s)