Description
ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.
Published: 2026-04-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unencrypted traffic interception
Action: Apply patch
AI Analysis

Impact

The vulnerability permits certain client-to-server communications in ConnectWise Automate’s Solution Center to occur without transport‑layer encryption, which could allow an attacker who can observe the network to intercept and read the traffic. This loss of confidentiality can expose credentials or other sensitive data that is transmitted between clients and the server.

Affected Systems

ConnectWise Automate deployments that use the on‑premises Solution Center are affected. The vulnerability is present in all on‑premises versions prior to the 2026.4 release; cloud‑based deployments do not require action.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high risk. While the EPSS score is not available, the nature of the flaw suggests that network‑based attackers could easily exploit it, especially in environments lacking proper segmentation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through an eavesdropping network path between client machines and the Solution Center, where an interceptor can capture unencrypted packets. Due to the absence of encryption, an attacker can obtain sensitive data but cannot remotely execute code or modify data.

Generated by OpenCVE AI on April 20, 2026 at 16:26 UTC.

Remediation

Vendor Solution

Remediation Cloud: No action is required.  On-Premise: Apply the 2026.4 release. For instruction on updating to the newest release, please reference this doc: Automate Release Notes Version 2026 - ConnectWise https://docs.connectwise.com/ConnectWise_Automate_Documentation/100/Automate_Release_Notes_Version_2026 After applying the update, on-premises customers must ensure the following configurations are in place: * An SSL certificate is bound to the Solution Center on port 8484 to establish secure communication. Refer to the ConnectWise documentation for configuration steps: Solution Center Client and Service HTTPS Update - ConnectWise * In some environments, antivirus or endpoint protection products may interfere with the Automate patch installer or service behavior during upgrades. If issues are encountered during installation or startup, refer to the ConnectWise documentation for recommended antivirus exclusions: Automate Antivirus Exclusions for Windows https://docs.connectwise.com/ConnectWise_Automate_Documentation/060/040/010 * Ensure that the LTShare has a minimum of 1 GB of free disk space prior to installation. If you experience issues completing the update or required configuration steps, please contact ConnectWise Support for assistance.

OpenCVE Recommended Actions

  • Apply the 2026.4 release to all on‑premises servers
  • Ensure an SSL certificate is bound to the Solution Center on port 8484 after upgrading
  • Add the recommended antivirus exclusions for the Automate installer and service
  • Make sure LTShare has a minimum of 1 GB free disk space before installation

Generated by OpenCVE AI on April 20, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Connectwise
Connectwise automate
Vendors & Products Connectwise
Connectwise automate

Mon, 20 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications could occur without transport-layer encryption. This could allow network‑based interception of Solution Center traffic in Automate deployments. The issue has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.
Title Unencrypted Client‑Server Communication in ConnectWise Automate™ Solution Center
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Connectwise Automate
cve-icon MITRE

Status: PUBLISHED

Assigner: ConnectWise

Published:

Updated: 2026-04-20T16:13:06.767Z

Reserved: 2026-04-10T13:19:03.212Z

Link: CVE-2026-6066

cve-icon Vulnrichment

Updated: 2026-04-20T16:12:59.962Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T16:16:50.123

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-6066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:30:06Z

Weaknesses