A critical vulnerability (CVE-2026-32999) in Comet Backup allows attackers to execute remote code, posing a severe risk to enterprise backup systems with a CVSS score of 9.1. This flaw affects all versions prior to 26.4.3 and 26.5.0, enabling attackers to gain access to sensitive user data and compromise the backup server. Immediate remediation involves upgrading self-hosted installations to the patched versions. The exploit arises from administrative branding permissions that allow tenant administrators to execute malicious code.
Critical CVE-2026-32999 flaw in Comet Backup permits remote code
CyberSIXT Evidence Panel
Article by CyberSIXT