{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22266", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-01-07T06:43:46.536Z", "datePublished": "2026-02-19T09:06:21.289Z", "dateUpdated": "2026-02-20T16:10:51.265Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PowerProtect Data Manager", "vendor": "Dell", "versions": [{"lessThan": "19.22.0-24 or later", "status": "affected", "version": "N/A", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "other", "value": "Dell would like to thank brocked200 (Nguyen Quoc Khanh) for reporting these issues."}], "datePublic": "2026-02-17T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.<br>"}], "value": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-146", "description": "CWE-146: Improper Neutralization of Expression/Command Delimiters", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-19T09:06:21.289Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T16:10:37.399792Z", "id": "CVE-2026-22266", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T16:10:51.265Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "other", "value": "Dell would like to thank brocked200 (Nguyen Quoc Khanh) for reporting these issues."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "PowerProtect Data Manager", "versions": [{"status": "affected", "version": "N/A", "lessThan": "19.22.0-24 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-17T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.", "supportingMedia": [{"type": "text/html", "value": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-146", "description": "CWE-146: Improper Neutralization of Expression/Command Delimiters"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-19T09:06:21.289Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22266", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T16:10:37.399792Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-20T16:10:44.780Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-22266", "state": "PUBLISHED", "dateUpdated": "2026-02-19T09:06:21.289Z", "dateReserved": "2026-01-07T06:43:46.536Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-02-19T09:06:21.289Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:powerprotect_data_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "17D7AA01-F2D1-4DCF-BF83-0550AA9CC59A", "versionEndExcluding": "19.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass."}], "id": "CVE-2026-22266", "lastModified": "2026-02-20T16:36:07.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "security_alert@emc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-19T10:16:11.630", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000429778/dsa-2026-046-security-update-for-dell-powerprotect-data-manager-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-146"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,19.22.0-24)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PowerProtect Data Manager", "source": "cna", "vendor": "Dell"}, "product": "powerprotect_data_manager", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-18T11:48:49.593398+00:00", "value": {"mitigation_remediation": ["Apply the Dell PowerProtect Data Manager update that includes the fix for this issue (see DSA\u20112026\u2011046).", "If the patch cannot be applied immediately, restrict access to the REST API and enforce least privilege on accounts that use it.", "Enable logging and anomaly detection for REST API traffic to identify attempts to establish unauthorized channels promptly."], "summary": {"action": "Patch", "impact": "Protection Mechanism Bypass"}, "threat_synthesis": {"affected_systems": "Dell PowerProtect Data Manager versions prior to 19.22, exposed through its network\u2011facing REST API.", "description_and_impact": "The vulnerability is an improper verification of the source of a communication channel in the REST API of Dell PowerProtect Data Manager, allowing a high\u2011privileged attacker with remote access to create an unverified channel that the service accepts, thereby bypassing the protection mechanism that safeguards the data manager.", "risk_and_exploitability": "The CVSS score of 4.7 indicates moderate severity. The EPSS score is less than 1%, showing a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network access to the REST API, and an attacker would need high\u2011privileged credentials to exploit the flaw."}}}}, "created": "2026-02-20T10:07:49.540206+00:00", "title": "Improper Source Verification in Dell PowerProtect REST API Allows Protection Bypass", "updated": "2026-04-18T12:00:05.877205+00:00", "vendors": ["dell", "dell$PRODUCT$powerprotect_data_manager"]}