CVE-2026-11889: Upgrade SALTO ProAccess Space to 6.13

CISA’s advisory for CVE-2026-11889 is narrowly scoped but important: only SALTO ProAccess Space installations running versions earlier than 6.13 with partitioning enabled are affected. Exploitation requires valid authenticated operator credentials. Organizations using partition-enabled deployments should upgrade to ProAccess Space 6.13.
CISA describes the issue as an authorization weakness that can allow an authenticated attacker to access spaces outside the attacker’s assigned logical partition within the same ProAccess Space installation. Installations that do not have partitioning enabled are not affected by this vulnerability, according to the advisory.
That scope matters. This is not an unauthenticated internet-access vulnerability, and it is not a claim that every ProAccess Space deployment is exposed. It is a problem in the enforcement of a logical boundary for deployments that use the affected feature. For organizations relying on partitions to limit what individual operators can access, the advisory calls for both an upgrade and a review of how broadly operator accounts are granted access.

Access control dashboard flags an authorization bypass between headquarters and the research lab.The Affected Boundary Is Logical Partitioning​

CISA identifies CVE-2026-11889 as CWE-639, Authorization Bypass Through User-Controlled Key. That weakness category generally concerns authorization decisions involving a user-supplied identifier or requested resource. In this case, CISA states that an authorized attacker could access spaces outside the assigned partition and potentially access any space managed by the affected product.
The advisory does not establish every possible downstream administrative action that could follow from that access. It should therefore not be read as proof that the vulnerability enables every operation available in an access-control environment. The supported finding is more specific: an authenticated operator may be able to cross the logical partition assigned to that operator and reach spaces that should be outside that partition.
For security teams, that is enough to make the issue material. Partitioning is enabled specifically in deployments where administrators need logical separation inside one installation. If the authorization control enforcing that separation can be bypassed, the installation’s partition assignments cannot be treated as a reliable limitation until the affected software is updated.
CISA’s scoring also reflects that this is an authenticated network-reachable issue rather than a local-only condition.
AssessmentBase scoreSeveritySupported characteristics
CVSS v3.16.5MediumNetwork reachable, low privileges required, no user interaction, high integrity impact
CVSS v4.07.1HighAuthenticated, low-privilege attack conditions with high integrity impact
Both scoring entries require attacker authentication. Neither requires user interaction. The scores should not be interpreted as evidence of public exploitation, nor as a complete description of every operational consequence in a particular deployment. They do, however, reinforce CISA’s central point: a low-privileged authenticated account can be relevant to the vulnerability when partitioning is enabled.

Authentication Is a Prerequisite, Not a Reason to Defer Remediation​

CISA reports no known public exploitation specifically targeting CVE-2026-11889. That is useful context, but it does not change the remediation target for affected systems.
The vulnerability requires valid operator credentials. As a result, the relevant exposure question is whether accounts that can authenticate to the affected installation are limited to the people and systems that require them. CISA’s recommended defensive measures include minimizing network exposure, placing control-system networks and remote devices behind firewalls and separating them from business networks where appropriate, and applying least-privilege principles.
Those recommendations should be applied alongside the upgrade rather than instead of it. Network protections can reduce exposure to the management environment. Least privilege can reduce the number and scope of operator accounts. Neither measure changes the version condition identified by CISA: a partition-enabled deployment running a version earlier than 6.13 needs the vendor-provided update.
This is also why the advisory should not be reduced to a question of public internet exposure. A protected internal network is a recommended control, but the affected authorization decision occurs after an attacker has authenticated. Organizations should assess both sides of the problem:
  1. Which systems and accounts can reach the ProAccess Space environment?
  2. Is partitioning enabled on an installation running a version earlier than 6.13?
  3. Have operator accounts been restricted to the minimum access required?
  4. Does the deployment require stronger separation than a shared logical-partition model can provide?
The first and third questions are exposure-reduction work. The second is the immediate vulnerability-remediation question. The fourth is a longer-term architecture question raised by CISA’s guidance for environments requiring stronger isolation.

CISA’s Remediation Direction Is Straightforward​

CISA’s primary recommendation is to upgrade ProAccess Space to version 6.13 where the tenancy or partitioning feature is in use. That is the supported remediation for the affected version range.
CISA also recommends that organizations conduct appropriate impact analysis and risk assessment before implementing defensive measures. In practical terms, this means facilities, security, and IT teams should identify affected installations, confirm whether partitioning is enabled, determine the installed version, and plan the update through their established change-management process.
The advisory supports a focused workflow:
  • Identify ProAccess Space deployments.
  • Determine whether logical partitioning is enabled.
  • Confirm whether the installed version is earlier than 6.13.
  • Upgrade affected partition-enabled deployments to 6.13.
  • Reduce operator access to the minimum necessary.
  • Keep the system on a protected internal network.
  • Disable partitioning if it is not needed and doing so is feasible.
  • Consider separately isolated instances where strong tenant separation is required.
This approach avoids two unhelpful extremes. The first is treating every deployment as affected without checking whether partitioning is enabled. The second is treating the authentication requirement as sufficient reason to postpone patching. CISA’s advisory provides a clear condition for identifying affected systems and a clear target version for remediation.

Administrators Should Treat This as an Inventory-and-Upgrade Exercise​

The most useful first step is an accurate inventory. Organizations should identify each ProAccess Space installation under their administration and record the installed version. That inventory should distinguish between deployments where partitioning is enabled and deployments where it is not.
The distinction is central to CVE-2026-11889. According to CISA, the issue affects ProAccess Space versions earlier than 6.13 only when the partitioning feature is enabled. A version check without a configuration check can therefore produce an incomplete picture. Conversely, an organization may find an older installation that is outside the vulnerability’s affected configuration because partitioning is not enabled.
For systems that meet both conditions—version earlier than 6.13 and partitioning enabled—the remediation path is to upgrade to 6.13. Organizations should use their normal maintenance planning, approval, validation, and recovery processes for the change. The advisory does not provide a specific post-update procedure such as a required service restart, so administrators should follow the installation and update instructions supplied through their approved vendor-support channel for their environment.
The absence of a universal operational sequence in the advisory is important. A security notice can establish the affected versions and recommended target version without documenting every local maintenance dependency. Teams should avoid treating unverified procedural details as mandatory guidance. The supported action is the upgrade; the exact implementation steps should come from the applicable product documentation, vendor support, and the organization’s own change controls.

Action checklist for admins​

  • Inventory all ProAccess Space installations and identify the version running on each system.
  • Determine whether tenancy or logical partitioning is enabled for each installation.
  • Prioritize any deployment that has partitioning enabled and is running a version earlier than 6.13.
  • Upgrade affected partition-enabled deployments to ProAccess Space 6.13.
  • Restrict operator accounts according to least-privilege principles and remove access that is no longer required.
  • Keep ProAccess Space on a protected internal network and minimize unnecessary network exposure.
  • Use firewalls and network segmentation consistent with the organization’s control-system security practices.
  • Disable partitioning where it is feasible and where the feature is not needed.
  • Where strong tenant separation is required, assess whether separate isolated instances are more appropriate than relying solely on logical partitioning.
  • Document the assessment, upgrade decision, and completion status for each affected deployment.

Stronger Separation May Require an Architectural Decision​

CISA’s recommendations extend beyond patching. The advisory advises organizations to consider using separate, isolated systems where stronger tenant separation is required. That recommendation is significant because it distinguishes between a software feature that provides logical separation and an environment that requires isolation as a primary security property.
The advisory does not state that all partitioned deployments must be replaced with separate instances. Nor does it state that partitioning is inherently unsafe after updating. The immediate vulnerability is addressed by upgrading affected partition-enabled installations to version 6.13.
However, organizations can still use the advisory as a prompt to clarify what they expect partitioning to accomplish. If the feature is used for administrative organization and the deployment’s risk assessment supports a shared installation, an updated system with restricted accounts and protected network placement may be appropriate. If separate groups require stronger isolation, CISA’s guidance supports evaluating separately isolated instances.
That evaluation should be based on the organization’s own risk requirements rather than unsupported assumptions about particular industries, contracts, integrations, databases, or licensing models. The relevant question is simple: does the deployment need a stronger separation boundary than a shared application environment with logical partitions provides?
This is not a reason to delay the upgrade. It is a parallel planning question. Update affected systems first, then determine whether the existing architecture matches the level of separation the organization expects to maintain.

What the CVSS Scores Do—and Do Not—Say​

The CVSS v3.1 score is 6.5, rated Medium. The CVSS v4.0 score is 7.1, rated High. The advisory’s vectors support several concrete observations: the attack vector is network-based, privileges are required but low, and user interaction is not required. Both assessments assign high integrity impact.
Those characteristics are useful for prioritization. They indicate that the vulnerability is not dependent on local physical access to the affected system and does not require a separate user to take an action during exploitation. At the same time, the requirement for authenticated operator credentials is a real precondition and should be included in internal risk communications.
Organizations should avoid overstating what the scores prove. CVSS is a severity framework, not a substitute for deployment-specific analysis. It does not identify the number of reachable operator accounts, the network exposure of a particular installation, or the importance of the spaces managed by that installation. Those are local facts that each organization must assess.
A practical reading of the advisory is therefore:
  • The vulnerability is limited to a defined product configuration.
  • It requires authenticated operator credentials.
  • It can allow access outside the operator’s assigned partition.
  • The affected configuration should be upgraded to version 6.13.
  • Network protection and least privilege remain recommended controls.
  • Separate isolated deployments should be assessed when strong tenant separation is necessary.
That is a more precise response than either dismissing the issue because authentication is required or treating it as an unauthenticated compromise of every ProAccess Space environment.

The Immediate Decision Is Clear​

CVE-2026-11889 does not apply to every ProAccess Space deployment. It applies to ProAccess Space versions earlier than 6.13 where partitioning is enabled, and exploitation requires valid authenticated operator credentials.
For affected organizations, the immediate action is not speculative: upgrade partition-enabled deployments to ProAccess Space 6.13. At the same time, follow CISA’s broader guidance by limiting operator accounts, minimizing network exposure, keeping the environment on a protected internal network, and disabling partitioning when it is not required.
The longer-term question is architectural. Where an organization requires strong tenant separation, CISA recommends considering separate isolated instances rather than relying solely on logical partitioning. The advisory therefore serves two purposes: it provides a specific upgrade target for a defined authorization flaw, and it gives physical-access teams a reason to verify that their intended separation model matches their actual security requirements.

References​

  1. Primary source: CISA
    Published: 2026-07-16T12:00:00+00:00
  2. Related coverage: saltosystems.com
  3. Related coverage: scribd.com
  4. Related coverage: plany.fuw.edu.pl
 

Back
Top