Primary

Context

Commvault Unauthenticated API Access Vulnerability Allowing Unauthorized Execution of API Calls

Vulnerability

Patched

A vulnerability exists in Commvault versions 11.32.0 through 11.32.101 and 11.36.0 through 11.36.59. The issue arises from a login mechanism that permits unauthenticated attackers to execute API calls without user credentials. While role-based access control (RBAC) can limit exposure, it does not completely eliminate the risk.

Impact

Exploitation of this vulnerability allows for unauthorized execution of API calls, potentially leading to unauthorized access or manipulation of data and functions within the Commvault environment.

Remediation

Users should upgrade to Commvault version 11.32.102 or 11.36.60, depending on their current version. Instructions for verifying if the update is installed are available in the Commvault documentation.

Added: Aug 20, 2025, 4:18 AM

Updated: Aug 20, 2025, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

5.0

exploitability

7.0

remediation

7.7

relevance

0.4

threat

1.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

5.0

exploitability

7.0

remediation

7.7

relevance

0.4

threat

1.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Commvault Unauthenticated API Access Vulnerability Allowing Unauthorized Execution of API Calls

Vulnerability

Impact

Remediation

Affected Products

Commvault

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating