Access our demo library to view BeyondTrust products in action.
Learn More Learn MoreComplete your PAM journey with detailed guidance, hands-on capability checklists, and more.
Learn More Learn MoreLearn why Gartner® has named BeyondTrust as a PAM Leader once again.
Learn More Learn MoreExplore how customers are using our solutions to advance security and productivity.
Learn More Learn MoreOffering a wide array of services and benefits tailored to your specific needs
Learn More Learn MoreLearn how BeyondTrust solutions protect companies from cyber threats.
Learn More Learn MoreAccess our demo library to view BeyondTrust products in action.
Learn More Learn MoreThis security advisory addresses multiple internally discovered vulnerabilities affecting Remote Support and Privileged Remote Access products. These issues were identified by the BeyondTrust Product Security team as part of ongoing security assessments. Customers are advised to review the details below and update to the fixed versions as outlined.
BeyondTrust Remote Support and Privileged Remote Access are affected by multiple internally discovered vulnerabilities ranging from critical to high severity. These vulnerabilities were identified through BeyondTrust's internal security research program. These vulnerabilities were identified through BeyondTrust's own AI-driven vulnerability research using publicly available AI models (Opus 4.8) and our proprietary research tooling. The work was conducted independently of Project Glasswing.
The most severe vulnerabilities may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance under specific configurations. Additional vulnerabilities may allow service disruption, unintended data access, and under distinct configurations, elevated access by an authenticated user that may impact system integrity.
Summary table
| CVE | Severity | CVSS v4 Score |
|---|---|---|
| CVE-2026-40138 | Critical | 9.2 |
| CVE-2026-40139 | Critical | 9.2 |
| CVE-2026-40140 | High | 8.7 |
| CVE-2026-40141 | High | 8.5 |
A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access.
Improper validation of authentication data may allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. Exploitation requires a specific authentication configuration to be enabled.
A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support.
Improper processing of authentication requests may allow an unauthenticated remote attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. Exploitation requires a specific authentication configuration to be enabled.
BeyondTrust Remote Support and Privileged Remote Access contain a high-severity pre-authentication vulnerability in the network communication subsystem.
Insufficient validation of client-supplied input may allow an unauthenticated remote attacker to trigger a denial-of-service condition affecting appliance availability.
A high-severity vulnerability exists in a web application component of BeyondTrust Remote Support and Privileged Remote Access related to the processing of certain input parameters.
Insufficient validation of user-supplied input may allow an authenticated attacker with limited privileges to access unintended resources or data beyond their authorization scope. Exploitation is restricted to accounts with specific permissions.
A patch has been applied to all RS/PRA cloud customers as of April 21,2026.
Self-hosted customer should apply the April security rollup patch for the affected version if their instance is not subscribed to automatic updates or upgrade to RS 25.3.3 & above or PRA 25.3.3 & above.
| Product | Version |
|---|---|
| Remote Support | RS 25.3.2 or lower |
| Privileged Remote Access | PRA 25.3.2 or lower |
| Product | Version |
|---|---|
| Remote Support | Yes RS patch Security Rollup April 2026 25 RS or Security Rollup April 2026 24 RS dependent on the RS version |
| Yes RS 25.3.3 & above | |
| Privileged Remote Access | Yes PRA patch Security Rollup April 2026 25 PRA or Security Rollup April 2026 24 PRA dependent on the PRA version |
| Yes PRA 25.3.3 & above |