Description
A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
Published: 2026-03-12
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in Veeam:Backup and Replication’s Backup Viewer enables an attacker to execute arbitrary code with the privileges of the postgres user. This gives potential control over the PostgreSQL database service and could compromise database integrity, confidentiality, and availability.

Affected Systems

The vulnerability impacts any deployment of Veeam:Backup and Replication that includes the Backup Viewer component. Specific product versions are not disclosed, so all installations that use this feature remain potentially exposed until a fix is applied.

Risk and Exploitability

The CVSS score is not provided, indicating that the exact severity has not been published. The EPSS score of < 1% indicates a low likelihood of current exploitation. The absence from the CISA KEV catalog does not lessen the risk, as the high‑impact potential demands urgent attention. The most likely exploitation path is through remote access to the Backup Viewer interface, where an attacker can supply crafted input to trigger code execution as the postgres user. Once executed, the attacker could gain further access or persist within the system.

Generated by OpenCVE AI on April 18, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor updates as described in the official KB articles at https://www.veeam.com/kb4830 and https://www.veeam.com/kb4831; this patch addresses the RCE by fixing input validation, SQL construction, and dynamic code execution weaknesses identified as CWE‑89.
  • Add input sanitization to all parameters accepted by the Backup Viewer interface to mitigate input issues.
  • Refactor any database interactions to use parameterized queries or safe escaping to prevent SQL injection (CWE‑89).
  • Remove or secure any code generation or `exec`/`eval` functionality within Backup Viewer that could enable dynamic code execution.

Generated by OpenCVE AI on April 18, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam:Backup and Replication

Sat, 18 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Veeam Backup Viewer RCE via Postgres User
Weaknesses CWE-20
CWE-94

Fri, 17 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 17 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Veeam Backup Viewer RCE via Postgres User
Weaknesses CWE-20
CWE-94

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-94

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-94

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-269
CWE-94

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Veeam Backup Viewer as Postgres User
Weaknesses CWE-269
CWE-94

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup and Recovery
Weaknesses CWE-94

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup and Recovery
Weaknesses CWE-94

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-78

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-78

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-20
CWE-269

Fri, 20 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Backup Viewer in Veeam Backup & Recovery
Weaknesses CWE-20
CWE-269

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Veeam
Veeam backup And Recovery
Vendors & Products Veeam
Veeam backup And Recovery

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Veeam Backup And Recovery
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-04-17T15:32:10.772Z

Reserved: 2026-01-04T15:00:06.573Z

Link: CVE-2026-21708

cve-icon Vulnrichment

Updated: 2026-03-12T17:28:02.623Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T17:16:36.683

Modified: 2026-04-17T16:16:36.307

Link: CVE-2026-21708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T21:30:10Z

Weaknesses