Security Bulletins

TV-2026-1004

Lack of Server-side validation in Instruction Input in TeamViewer DEX Platform (On-Premises)

Bulletin ID
TV-2026-1004
Issue Date
13 พ.ค. 2026
Last Update
13 พ.ค. 2026
Priority
Moderate
CVSS
6.3 (Medium)
Assigned CVE
CVE-2026-2695
Affected Products
TeamViewer DEX Platform - On-Premises (formerly 1E DEX)

1. Summary

Missing server-side input validation leading to a command injection vulnerability was found and fixed in TeamViewer DEX Platform - On-Premises (formerly 1E DEX Platform).

2. Vulnerability details

CVE-ID

CVE-2026-2695

Description

A command injection vulnerability was discovered in TeamViewer DEX Platform On-Premises (former 1E DEX Platform On-Premises) prior to version 9.2. Improper input validation allows authenticated users with at least questioner privileges to inject commands in specific instructions. Exploitation could lead to execution of elevated commands on devices connected to the platform.

 

The vulnerability has been fixed with version 9.2 (On-Premises). We recommend updating to the latest available version. No action is required for TeamViewer DEX SaaS customers and users.

 

At this time, there is no indication that this vulnerability has been exploited in the wild.

CVSS3.1 Score

Base Score 6.3 (Medium)

CVSS3.1 Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Problem type

CWE-20: Improper Input Validation

3. Affected software and versions

Product
Versions
Info

TeamViewer DEX Platform (On-Premises)

< 9.2

New version available via Support Portal

4. Solutions and mitigations

Update to the latest version (v9.2 or the latest version available).

5. Acknowledgments

We would like to thank the Lockheed Martin Red Team for the discovery and responsible disclosure.