Vulnerability Description
Progress Software disclosed CVE-2026-4670, an authentication bypass vulnerability in MOVEit Automation, the workflow scheduling and orchestration component of the MOVEit managed file transfer product family. Progress describes the issue and its companion CVE-2026-5174 jointly as “Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces.” Per NVD, Progress assigns CVE-2026-4670 a CVSS v3.1 base score of 9.8 (Critical). CVE-2026-5174 is a separate improper-input-validation flaw in the same product, scored CVSS 8.8 (High) by NIST.
The two CVEs are paired in the bulletin but Progress does not explicitly state that one flaw enables exploitation of the other. We have not seen a public proof of concept that demonstrates them being chained.
Progress’s stated impacts are unauthorized access, administrative control, and data exposure. MOVEit Automation is a workflow scheduler, so a compromised instance could expose the credentials and configurations the platform uses in file-transfer related tasks.
| Field | Description |
| CVE-ID | CVE-2026-4670 — CVSS v3 9.8 (critical) — assigned by Progress Software Corporation |
| Vulnerability Description | CVE-2026-4670 is a critical authentication bypass vulnerability in MOVEit Automation, the workflow scheduling and orchestration component of the MOVEit managed file transfer product family. Progress’s stated impacts are unauthorized access, administrative control, and data exposure. MOVEit Automation is a workflow scheduler, so a compromised instance could expose the credentials and configurations the platform uses in file-transfer related tasks. |
| Date of Disclosure | April 30, 2026 |
| Affected Assets | Per Progress’s April 2026 bulletin, CVE-2026-4670 explicitly affects MOVEit Automation. |
| Vulnerable Software Versions | – 2025.0.0 to <2025.0.9 (fixed in 2025.0.9) – 2024.0.0 to <2024.1.8 (fixed in 2024.1.8) – Versions prior to 2024.0.0 (unsupported, must upgrade to a supported branch) Note: Progress’s bulletin pairs CVE-2026-4670 with CVE-2026-5174 (privilege escalation), and the bulletin’s overall version-fix table also lists 2025.1.5 as a fixed version covering the 2025.1.x branch. Progress’s per-CVE wording for CVE-2026-4670 itself does not list the 2025.1.x branch as affected, so customers on 2025.1.x are upgrading to 2025.1.5 primarily for the priv-esc fix. |
| PoC Available | None publicly known at time of disclosure |
| Exploitation Status | No active exploitation reported at time of disclosure. Not in CISA KEV. |
| Patch Status | Patched versions available from Progress: – MOVEit Automation 2025.1.5 – MOVEit Automation 2025.0.9 – MOVEit Automation 2024.1.8 Customers on versions prior to 2024.0.0 must upgrade to a supported branch. Progress states that a full-installer upgrade is the only supported remediation path. |
Censys ARC Perspective
Censys observes less than 100 exposed MOVEit Automation web admin interfaces globally. That count comes from multiple signals we identify in the MOVEit Automation web admin interface, which all converge on the same set of hosts.
Some early sizing of this vulnerability put exposure in the low thousands by way of a favicon hash, but that hash isn’t unique to MOVEit Automation. It is shared with other products, which inflates the picture by more than an order of magnitude when used as the primary signal.
The exposed population shows that the United States accounts for roughly two-thirds of hosts, with the remainder thinly scattered across Europe and Asia.
MOVEit Automation is a different product from MOVEit Transfer, the file-transfer endpoint at the center of the 2023 Cl0p campaign, and CVE-2026-4670 does not affect MOVEit Transfer. We are flagging this disclosure because the MOVEit name carries weight after 2023, not because the exposed population is large. Censys has tracked the MOVEit family closely since the original 2023 incident, including our coverage of the broader MOVEit Transfer exposure picture, an industry-level analysis of the affected population, and coverage of a later MOVEit Transfer authentication bypass.
References
Vendor and government:
- Progress MOVEit Automation Critical Security Alert Bulletin – April 2026 (CVE-2026-4670, CVE-2026-5174)
- NVD – CVE-2026-4670
- Canadian Centre for Cyber Security – AV26-410
- CCB Belgium advisory – CVE-2026-4670
- VULNRICHMENT advisory – CVE-2026-4670
Press coverage:
- BleepingComputer – Progress warns of critical MOVEit Automation auth bypass flaw
- The Hacker News – Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass
- Cybersecurity Dive – New MOVEit vulnerabilities prompt urgent patch warning