ConnectWise Automate™ 2026.5 Security Update
Date: 05/21/2026
Product(s): ConnectWise Automate
Severity: Important
Priority: 2 – Moderate
Summary
ConnectWise has released a security update for ConnectWise Automate™ addressing an issue in the agent's plugin loading and self-update processes. Under certain conditions, components obtained during these operations may be processed without full integrity verification prior to loading. Automate 2026.5 includes enhanced integrity verification for all agent components.
Vulnerability
CVE-2026-9089
| CWE ID | Description | Base Score | Vector |
|---|---|---|---|
| CWE-494 | Download of Code Without Integrity Check | 8.8 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Severity
Important — Vulnerabilities that could compromise confidential data or other resources but require additional access, privilege or circumstances to do so.
Priority
2 Moderate — Vulnerabilities that have elevated risk but exploits are neither known nor anticipated to be imminent. Recommend updates be prioritized against normal change management timelines but no longer than 30 days.
Affected versions
ConnectWise Automate versions prior to 2026.5
Remediation
Cloud
Cloud instances have already been updated to the latest Automate release.
On-prem
Apply the 2026.5 release.
For instruction on updating to the newest release, please reference this doc: ConnectWise Automate Release Notes 2026.5