ConnectWise Automate 2026.5 fixes security flaw that could allow malicious code execution

ConnectWise has patched a security vulnerability in ConnectWise Automate that could allow attackers to get malicious components loaded through the platform’s agent update and plugin processes.

The issue is tracked as CVE-2026-9089 and affects ConnectWise Automate versions before 2026.5. The company confirmed the fix in a May 21 ConnectWise security bulletin, which says Automate 2026.5 adds stronger integrity verification for all agent components.

The flaw matters because Automate is widely used by managed service providers to monitor, manage, and update client systems. If attackers can interfere with trusted update or plugin-loading workflows, they may gain a path to execute code in environments where remote management tools already have broad reach.

What CVE-2026-9089 allows

The vulnerability sits in the ConnectWise Automate Agent. According to the National Vulnerability Database, the agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations.

That places the flaw under CWE-494, Download of Code Without Integrity Check. In practical terms, the product could process a downloaded component before fully confirming that the component came from a trusted source and had not been altered.

Cybersecurity Help describes the issue as a code execution risk and notes that exploitation is limited to the adjacent network attack surface. That means attackers generally need a position close to the target network path, rather than simple internet-wide remote access, according to the Cybersecurity Help advisory.

Key details at a glance

Item	Details
CVE	CVE-2026-9089
Affected product	ConnectWise Automate
Affected versions	Versions before 2026.5
Fixed version	ConnectWise Automate 2026.5
Weakness type	CWE-494, Download of Code Without Integrity Check
CVSS score	8.8 High
Attack vector	Adjacent network
User interaction	Not required

Why MSPs should prioritize the update

The risk is especially important for managed service providers because remote monitoring and management tools often sit at the center of many customer environments. A single compromised RMM workflow can create pressure across many managed endpoints.

The 365Trust alert also describes the flaw as a remote code execution issue affecting plugin management procedures in ConnectWise Automate. It recommends updating affected products in line with the vendor’s bulletin.

The CVSS vector for the issue is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This means an attacker needs adjacent network access, but does not need privileges or user interaction. The impact rating is high for confidentiality, integrity, and availability, according to the NVD entry.

Cloud instances were updated, but on-premises users must act

ConnectWise says cloud instances have already been updated to the latest Automate release. That reduces immediate exposure for customers using hosted deployments.

On-premises customers need to apply the 2026.5 release manually. The ConnectWise advisory recommends prioritizing the update within normal change management timelines, but no later than 30 days.

Security teams should treat the patch as more than a routine maintenance update. The flaw affects a trusted software delivery path, which makes validation and monitoring important even if there are no public reports of active exploitation.

Recommended actions for administrators

• Check all ConnectWise Automate deployments and confirm whether any on-premises instance runs a version earlier than 2026.5.
• Apply Automate 2026.5 to affected on-premises deployments as soon as change control allows.
• Review agent update and plugin activity for unusual behavior before and after the update.
• Watch for unexpected component downloads or agent-side changes in managed client environments.
• Limit unnecessary network exposure around Automate infrastructure and related management systems.
• Confirm cloud-hosted Automate instances show the latest release state in administrative dashboards.

No active exploitation reported, but the risk remains serious

ConnectWise has not reported known active exploitation in its public bulletin. Still, attackers have repeatedly shown interest in remote management and update mechanisms because these tools can provide trusted access to many endpoints.

The Cybersecurity Help listing says a patch is available and identifies code execution as the highest impact. The vulnerability affects Automate versions before 2026.5.

The CSIRT-linked 365Trust notice rates the estimated impact on the target community as high and points administrators back to the vendor’s mitigation guidance.

What this means for ConnectWise Automate users

For MSPs and internal IT teams, the fix should land near the top of the patch queue. The vulnerability does not require user interaction, and it affects an agent workflow designed to load and update components automatically.

Automate 2026.5 closes that gap by adding enhanced integrity verification across agent components. That makes it harder for attackers to insert modified code into plugin loading or self-update operations.

Organizations running on-premises Automate should update, verify agent behavior, and review logs for signs of unusual plugin or component activity. Cloud customers should still confirm their environments have received the updated release.

FAQ