Introduction
A missing authentication check in Dell PowerProtect Data Domain's operating system allows an unauthenticated remote attacker to reach a critical function and execute arbitrary commands as root, provided a legitimate user can be coaxed into performing a specific action. With a CVSS 3.1 base score of 8.8 and the potential for complete system compromise, this vulnerability puts enterprise backup infrastructure squarely in the crosshairs.
Dell PowerProtect Data Domain is a purpose built backup and deduplication storage platform widely deployed in enterprise environments to protect data across on premise and multi cloud architectures. It serves as the backbone of disaster recovery strategies for organizations of all sizes. A compromise of this system could give an attacker access to, or control over, an organization's entire backup repository.
Technical Information
Root Cause: Missing Authentication for Critical Function (CWE-306)
CVE-2026-26944 is classified under CWE-306: Missing Authentication for Critical Function. Within the DD OS, a network accessible function that performs a privileged operation was exposed without any authentication enforcement. An unauthenticated remote attacker could reach this function directly over the network.
The CVSS 3.1 vector string is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Breaking this down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | No special conditions or race conditions needed |
| Privileges Required (PR) | None | The attacker does not need any credentials |
| User Interaction (UI) | Required | An authenticated user must perform a specific action |
| Scope (S) | Unchanged | The vulnerability's impact stays within the vulnerable component |
| Confidentiality (C) | High | Full read access to the system |
| Integrity (I) | High | Full write/modification capability |
| Availability (A) | High | Complete denial of service possible |
Attack Flow
Based on the advisory details, the exploitation sequence works as follows:
-
Attacker positions themselves on the network with access to the Data Domain management interface. No prior authentication or credentials are needed on the attacker's side.
-
Attacker targets the unauthenticated critical function. Because the vulnerable function lacks authentication checks entirely, the attacker can interact with it directly.
-
User interaction is triggered. The attacker must induce a legitimate, authenticated Data Domain user to perform a specific action. This could involve social engineering, such as sending a crafted link or resource that the authenticated administrator interacts with while logged into the management interface.
-
Arbitrary command execution as root. Once the authenticated user performs the required action, the attacker achieves arbitrary command execution with root privileges on the Data Domain appliance.
The result is a complete compromise of the system: full control over confidentiality, integrity, and availability of the backup data stored on the appliance.
Related Vulnerabilities in DSA-2026-060
CVE-2026-26944 was disclosed as part of Dell Security Advisory DSA-2026-060, which addresses more than a dozen root level vulnerabilities in the same product. Several of these are OS command injection and improper input validation flaws, all leading to privileged command execution:
| CVE ID | Vulnerability Type | CVSS Score | Privileges Required |
|---|---|---|---|
| CVE-2026-24504 | Improper input validation | 7.2 | High |
| CVE-2026-24505 | Improper input validation | 7.2 | High |
| CVE-2026-24506 | OS command injection | 7.2 | High |
| CVE-2026-26942 | OS command injection | 6.7 | High |
| CVE-2026-22761 | Command injection | 6.7 | High |
| CVE-2026-35153 | Argument injection | 6.7 | High |
| CVE-2026-35073 | OS command injection | 6.7 | High |
What makes CVE-2026-26944 stand out from this group is the combination of no privileges required and a high CVSS score of 8.8. Most of the sibling vulnerabilities require high privileges (an already authenticated admin), whereas CVE-2026-26944 only requires user interaction from an authenticated user, not attacker authentication.
Patch Information
Dell has addressed CVE-2026-26944 through firmware updates to the Data Domain Operating System (DD OS), released as part of Dell Security Advisory DSA-2026-060 on April 14, 2026. Because the vulnerability resides in Dell's proprietary DD OS code, no source code diff or open source commit is publicly available. The fix is delivered exclusively through official DD OS firmware packages.
The patch adds authentication enforcement to the previously unauthenticated critical function, closing the gap that allowed arbitrary command execution with root privileges.
Remediated Firmware Versions
| Release Track | Affected Versions | Fixed Version |
|---|---|---|
| DD OS Feature Release (8.6) | 7.7.1.0 through 8.6.0.0 | 8.6.1.10 or 8.7.0.0 or later |
| DD OS LTS2025 (8.3.1) | 8.3.1.0 through 8.3.1.20 | 8.3.1.30 or later |
| DD OS LTS2024 (7.13.1) | 7.13.1.0 through 7.13.1.60 | 7.13.1.70 or later |
| PowerProtect DP Series (IDPA) | Versions prior to 2.7.9 | 2.7.9 (ships with DD OS 8.3.1.30) |
Additional Patch Notes
DD OS version 8.6.1.10 is particularly significant as it marks the first release of Dell's new LTS 2026 long term support branch, meaning organizations adopting it receive both the CVE-2026-26944 fix and extended support lifecycle benefits.
The affected product surface is broad, encompassing Dell PowerProtect Data Domain physical appliances, Data Domain Virtual Edition (DDVE), and Dell APEX Protection Storage. All require the same DD OS firmware update.
Dell notes that some security scanners may continue to report false positive findings even after upgrading to the remediated DD OS versions. Dell has published separate false positive KB articles for each DD OS branch (8.7, 8.6, 8.3, and 7.13) to help administrators differentiate real residual risk from scanner noise.
Firmware updates are available through the official Dell PowerProtect Data Domain support downloads page. Administrators should follow Dell's standard DD OS upgrade procedures documented in their knowledge base.
Affected Systems and Versions
The following Dell PowerProtect Data Domain configurations are vulnerable:
DD OS Feature Releases: Versions 7.7.1.0 through 8.6.0.0
DD OS LTS2025 Release: Versions 8.3.1.0 through 8.3.1.20
DD OS LTS2024 Release: Versions 7.13.1.0 through 7.13.1.60
PowerProtect DP Series (IDPA): Versions prior to 2.7.9
The vulnerability affects all form factors running these DD OS versions: physical Data Domain appliances, Data Domain Virtual Edition (DDVE), and Dell APEX Protection Storage.
Vendor Security History
The DSA-2026-060 advisory addresses more than a dozen vulnerabilities simultaneously, many of which enable root level command execution. This cluster of flaws across multiple vulnerability classes (missing authentication, OS command injection, improper input validation, argument injection) in a single product release suggests a broad attack surface within the DD OS management layer. Dell's decision to address all of these in a single coordinated advisory, including fixes for third party components like Apache Commons FileUpload and OpenSSL, indicates a thorough security review of the product. Dell has stated that there is no indication of active exploitation for any of the disclosed vulnerabilities.
References
- DSA-2026-060: Security Update for Dell PowerProtect Data Domain Multiple Vulnerabilities
- NVD Entry for CVE-2026-26944
- CVE Record: CVE-2026-26944
- Heise: Numerous attacks on Dell PowerProtect Data Domain possible
- CISA Known Exploited Vulnerabilities Catalog
- Dell PowerProtect Data Domain Support Downloads
- Feedly CVE-2026-26944 Tracking
