SB2026031251 - Multiple vulnerabilities in Veeam Backup & Replication

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026031251

SB2026031251 - Multiple vulnerabilities in Veeam Backup & Replication

Published: March 12, 2026

Security Bulletin ID SB2026031251
Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-21671)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user with the Backup Administrator role can execute arbitrary code in high availability (HA) deployments.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-21670)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improperly imposed security restrictions. A remote low-privileged user can extract saved SSH credentials and gain unauthorized access to other systems.


3) Input validation error (CVE-ID: CVE-2026-21669)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated domain user can execute arbitrary code on the Backup Server.


4) Input validation error (CVE-ID: CVE-2026-21708)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can execute arbitrary code with privileged of the postgres user.


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-21672)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improperly imposed security restrictions. A local user can execute arbitrary code with elevated privileges. 


6) Protection mechanism failure (CVE-ID: CVE-2026-21668)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote authenticated domain user can bypass restrictions and manipulate arbitrary files on a Backup Repository.


7) Input validation error (CVE-ID: CVE-2026-21667)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated domain user can execute arbitrary code on the Backup Server.


8) Input validation error (CVE-ID: CVE-2026-21666)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated domain user can execute arbitrary code on the Backup Server.


Remediation

Install update from vendor's website.

References