CVE-2026-8381 - Vulnerability Details

- Broken Access Control in TeamViewer DEX Platform (On Premises)

Description

A broken access
control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not
correctly enforce authorization checks, allowing an authenticated user with low
privileges to perform actions and access resources intended only for higher‑privileged roles. An attacker with
low‑privileged credentials may exploit
this to gain unauthorized access to administrative or sensitive functionality.

Published: 2026-05-22

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The TeamViewer DEX Platform (On‑Premises) contains a broken access control flaw that allows a user who is authenticated with low privileges to access backend API endpoints that are intended for higher‑privileged roles. As a result, an attacker could gain unauthorized access to administrative operations or sensitive data, potentially compromising the integrity and confidentiality of the system. The weakness is classified as CWE‑862 – Broken Access Control.

Affected Systems

Any installation of the TeamViewer DEX Platform that uses a version earlier than 9.2 is affected. The issue is relevant to the on‑premises deployment of the platform, where the backend APIs are exposed to authenticated users. No later versions, such as 9.2 or newer, contain the fix.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker would need valid credentials for a low‑privilege account and the ability to send requests to the affected API endpoints. The vulnerable endpoints do not enforce proper authorization checks, allowing the attacker to elevate privileges and access sensitive resources.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TeamViewer

DEX (On-premises)

unaffected

Version	Status	Constraints
`0`	affected	< 9.2

No data.

Vendor Product Confidence Versions

Teamviewer

Dex

100%

Version	Status	Scheme	Platform
`[0,9.2)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update to the latest version (9.2 or the latest version available).

OpenCVE Recommended Actions

Apply the latest update to the TeamViewer DEX Platform (9.2 or newer) to eliminate the broken authorization checks.
If an upgrade cannot be performed immediately, enforce network segmentation or firewall rules to restrict access to the affected backend API endpoints, ensuring only authorized administrative hosts can reach them.
Strengthen role‑based permissions to remove administrative privileges from low‑privilege accounts and enable audit logging, then actively monitor logs for any anomalous activity.

Generated by OpenCVE AI on May 22, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1005/

History

Fri, 22 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 22 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Teamviewer Teamviewer dex
Vendors & Products		Teamviewer Teamviewer dex

Fri, 22 May 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges to perform actions and access resources intended only for higher‑privileged roles. An attacker with low‑privileged credentials may exploit this to gain unauthorized access to administrative or sensitive functionality.
Title		Broken Access Control in TeamViewer DEX Platform (On Premises)
Weaknesses		CWE-862
References		https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1005/
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Teamviewer Dex

MITRE

Status: PUBLISHED

Assigner: TV

Published: 2026-05-22T08:29:16.451Z

Updated: 2026-05-22T13:45:33.655Z

Reserved: 2026-05-12T08:47:56.307Z

Link: CVE-2026-8381

Vulnrichment

Updated: 2026-05-22T13:45:29.773Z

NVD

Status : Received

Published: 2026-05-22T09:16:32.743

Modified: 2026-05-22T09:16:32.743

Link: CVE-2026-8381

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T12:37:46Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object