Dell ECS and ObjectScale Multiple Vulnerabilities

Overview

• CVE: CVE-2026-40636, CVE-2026-26946, CVE-2026-35157, CVE-2025-43992

• Severity: Critical

• Platform: Dell ECS and ObjectScale

• Incident Type: Authentication / Credential Vulnerability

• Advisory Date: 13 May 2026

Dell has disclosed multiple vulnerabilities affecting ECS and ObjectScale, addressed in security advisory DSA-2026-019. The most severe is CVE-2026-40636 (CVSS 9.8), a critical use of hard-coded credentials that could allow an unauthenticated attacker with local access to gain filesystem access. Three additional medium-severity issues cover OS privilege escalation, CSV formula injection in the UI, and an authentication bypass in Geo replication. Organisations running affected versions should upgrade to ObjectScale 4.3.0.0 or later, change default credentials where applicable, and review exposure across ECS and ObjectScale environments.

Affected Versions

• Dell ECS: Versions 3.8.1.0 through 3.8.1.7

• Dell ObjectScale: Versions prior to 4.3.0.0

• Fix: Upgrade to ObjectScale 4.3.0.0 or later

  
  

Vulnerability Breakdown

CVE-2026-40636 - Hard-coded credentials

• Severity: Critical

• CVSS: 9.8

• Description: Dell ECS and ObjectScale contain a use of hard-coded credentials vulnerability.

• Impact: An unauthenticated attacker with local access could potentially gain filesystem access.

• Conditions: Local access is required. No authentication is required.

• Notes: Dell provides a password change procedure for supported versions still using default credentials.

CVE-2026-26946 - Improper privilege management in the OS

• Severity: Medium

• CVSS: 6.7

• Description: Dell ECS and ObjectScale contain an improper privilege management vulnerability in the OS.

• Impact: A high privileged attacker with local access could potentially achieve elevation of privileges.

• Conditions: High privileges and local access are required.

CVE-2026-35157 - Improper neutralisation of formula elements in a CSV file in the UI

• Severity: Medium

• CVSS: 5.8

• Description: Dell ECS and ObjectScale contain an improper neutralisation of formula elements in a CSV file vulnerability in the UI.

• Impact: An unauthenticated attacker with remote access could potentially achieve remote execution.

• Conditions: Remote access is required.

CVE-2025-43992 - Authentication bypass in Geo replication

• Severity: Medium

• CVSS: 5.6

• Description: Dell ECS and ObjectScale contain an authentication bypass by assumed-immutable data vulnerability in Geo replication.

• Impact: An unauthenticated attacker with remote access could potentially gain unauthorised access to data in transit.

• Conditions: Remote access is required.

Mitigation

• Upgrade supported affected ECS and ObjectScale systems to ObjectScale 4.3.0.0 or later.

• Open an Operating Environment Upgrade service request and quote DSA-2026-019.

• If default credentials are still in use, apply Dell's documented password change procedure to mitigate CVE-2026-40636 while upgrade work is underway.

• Review Dell's supported version guidance and schedule the remediation at the earliest opportunity.

  
  

Summary for IT Teams

• Products: Dell ECS, Dell ObjectScale

• Threat Level: Critical, CVSS 9.8

• Action Required: Upgrade to version 4.3.0.0 or later, change default credentials where applicable, and validate exposure across ECS and ObjectScale environments.

Reference

• Dell Security Advisory DSA-2026-019: Security update for Dell ECS and ObjectScale Multiple Vulnerabilities

• Dell ObjectScale 4.3.x InfoHub (includes the 4.3.0.0 Security Configuration Guide)

Need Help?

If your organisation needs support assessing exposure, planning the upgrade, or validating remediation, contact Secure ISS on 1300 769 460.