{"api_version":"1","generated_at":"2026-04-21T10:52:34+00:00","cve":"CVE-2026-6066","urls":{"html":"https://cve.report/CVE-2026-6066","api":"https://cve.report/api/cve/CVE-2026-6066.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6066","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6066"},"summary":{"title":"Unencrypted Client‑Server Communication in ConnectWise Automate™ Solution Center","description":"ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.","state":"PUBLISHED","assigner":"ConnectWise","published_at":"2026-04-20 16:16:50","updated_at":"2026-04-20 19:05:30"},"problem_types":["CWE-319","CWE-319 CWE-319 Cleartext transmission of sensitive information"],"metrics":[{"version":"3.1","source":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin","name":"https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin","refsource":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6066","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6066","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ConnectWise","product":"Automate","version":"affected All versions prior to 2026.4","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Remediation\n\n\n\nCloud: No action is required. \n\nOn-Premise: Apply the 2026.4 release.\n\n\nFor instruction on updating to the newest release, please\nreference this doc:  Automate Release Notes Version 2026 - ConnectWise https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026  \n\nAfter applying the update, on-premises customers must\nensure the following configurations are in place:\n\n\n\n  *  An SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: Solution Center Client and\nService HTTPS Update - ConnectWise\n  *  In some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions:  Automate Antivirus Exclusions for Windows https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010 \n  *  Ensure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nIf you experience issues completing the update or\nrequired configuration steps, please contact ConnectWise\nSupport for assistance.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-6066","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-20T16:12:51.126302Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-20T16:13:06.767Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Solution Center"],"product":"Automate","vendor":"ConnectWise","versions":[{"status":"affected","version":"All versions prior to 2026.4"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections."}],"value":"ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections."}],"impacts":[{"capecId":"CAPEC-117","descriptions":[{"lang":"en","value":"CAPEC-117 Interception"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-319","description":"CWE-319 Cleartext transmission of sensitive information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-20T15:26:31.843Z","orgId":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","shortName":"ConnectWise"},"references":[{"url":"https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p><b>Remediation</b></p>\n\n<p><u>Cloud:</u>&nbsp;<span>No action is required.&nbsp;</span></p><p><span><u>On-Premise:</u>&nbsp;</span><span>Apply the 2026.4 release.</span><span><br></span></p><p>For instruction on updating to the newest release, please\nreference this doc: <a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026\">Automate Release Notes Version 2026 - ConnectWise</a> </p><p>After applying the update, on-premises customers must\nensure the following configurations are in place:</p><p></p><ul><li>An SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: <a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/070/270/Solution_Center_Client_and_Service_HTTPS_Update\">Solution Center Client and\nService HTTPS Update - ConnectWise</a></li><li><span>In some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions:</span><span> </span><a href=\"https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010\">Automate Antivirus Exclusions for Windows</a></li><li>Ensure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.</li></ul><p></p><p>\n\n\n\n\n\n\n\n</p><p>If you experience issues completing the update or\nrequired configuration steps, please contact <a href=\"mailto:help@connectwise.com\">ConnectWise\nSupport</a> for assistance.</p>"}],"value":"Remediation\n\n\n\nCloud: No action is required. \n\nOn-Premise: Apply the 2026.4 release.\n\n\nFor instruction on updating to the newest release, please\nreference this doc:  Automate Release Notes Version 2026 - ConnectWise https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026  \n\nAfter applying the update, on-premises customers must\nensure the following configurations are in place:\n\n\n\n  *  An SSL certificate is bound to the Solution\nCenter on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: Solution Center Client and\nService HTTPS Update - ConnectWise\n  *  In some environments, antivirus or endpoint\nprotection products may interfere with the Automate patch installer or service\nbehavior during upgrades. If issues are encountered during installation or\nstartup, refer to the ConnectWise documentation for recommended antivirus\nexclusions:  Automate Antivirus Exclusions for Windows https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010 \n  *  Ensure that the LTShare has a minimum of 1 GB of\nfree disk space prior to installation.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nIf you experience issues completing the update or\nrequired configuration steps, please contact ConnectWise\nSupport for assistance."}],"source":{"discovery":"UNKNOWN"},"title":"Unencrypted Client‑Server Communication in ConnectWise Automate™ Solution Center","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","assignerShortName":"ConnectWise","cveId":"CVE-2026-6066","datePublished":"2026-04-20T15:26:31.843Z","dateReserved":"2026-04-10T13:19:03.212Z","dateUpdated":"2026-04-20T16:13:06.767Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-20 16:16:50","lastModifiedDate":"2026-04-20 19:05:30","problem_types":["CWE-319","CWE-319 CWE-319 Cleartext transmission of sensitive information"],"metrics":{"cvssMetricV31":[{"source":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6066","Ordinal":"1","Title":"Unencrypted Client‑Server Communication in ConnectWise Automate™","CVE":"CVE-2026-6066","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6066","Ordinal":"1","NoteData":"ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.","Type":"Description","Title":"Unencrypted Client‑Server Communication in ConnectWise Automate™"}]}}}