CVE-2026-35155 - Vulnerability Details - OpenCVE

Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Idrac10

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Dell	Idrac10

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability

History

Wed, 29 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dell Dell idrac10
Vendors & Products		Dell Dell idrac10

Wed, 29 Apr 2026 06:30:00 +0000

Type	Values Removed	Values Added
Title		Authenticated Low‑Privileged Attacker Can Gain Elevated Access in Dell iDRAC10 via Race Condition

Wed, 29 Apr 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access.
Weaknesses		CWE-522
References		https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2026-04-29T03:50:56.690Z

Updated: 2026-04-29T12:12:09.584Z

Reserved: 2026-04-01T17:04:27.475Z

Link: CVE-2026-35155

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-29T05:16:04.523

Modified: 2026-04-29T05:16:04.523

Link: CVE-2026-35155

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T07:30:05Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35155", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-04-01T17:04:27.475Z", "datePublished": "2026-04-29T03:50:56.690Z", "dateUpdated": "2026-04-29T12:12:09.584Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-29T03:50:56.690Z"}, "datePublic": "2026-04-27T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "affected": [{"vendor": "Dell", "product": "iDRAC10", "versions": [{"status": "affected", "version": "0", "lessThan": "1.30.10.50 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low\u2011privileged attacker to gain elevated access.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low\u2011privileged attacker to gain elevated access."}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-29T12:12:02.094536Z", "id": "CVE-2026-35155", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T12:12:09.584Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.30.10.50)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iDRAC10", "source": "cna", "vendor": "Dell"}, "product": "idrac10", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-29T06:20:59.319500+00:00", "value": {"mitigation_remediation": ["Update the iDRAC firmware to a version that includes the Dell security update referenced in the advisory", "Restrict or disable low\u2011privileged accounts on the iDRAC interface and enforce least\u2011privilege policies", "Monitor iDRAC logs for anomalous authentication or privilege escalation events"], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected systems are Dell iDRAC10 interfaces running firmware versions 1.20.70.50 or 1.30.05.10. No other Dell iDRAC variants or firmware revisions are listed as vulnerable.", "description_and_impact": "Dell iDRAC10 firmware versions 1.20.70.50 and 1.30.05.10 contain a race condition that results in insufficiently protected credentials, as identified by CWE\u2011522. A user who already has low\u2011privileged authentication can trigger the race condition to obtain elevated access rights, effectively bypassing the intended credential safeguards. This escalation could allow the attacker to modify iDRAC settings, view or alter configuration files, and gain broader control over the host server, thereby compromising integrity and potentially confidentiality of sensitive host information.", "risk_and_exploitability": "The vulnerability is rated a CVSS score of 7.1, indicating high risk, but no EPSS data is available to assess current exploit probability. The vulnerability is not listed in CISA's KEV catalog. The race condition requires an authenticated low\u2011privileged local account; therefore an attacker must have physical or remote access to the iDRAC interface and legitimate credentials. Exploitation would involve timing the credential verification routine to duplicate authentication tickets or tokens, thereby elevating privileges. While the exact implementational details are not fully documented, the referred Dell advisory indicates that the issue has been patched and should be addressed promptly."}}}}, "created": "2026-04-29T06:30:04.393218+00:00", "title": "Authenticated Low\u2011Privileged Attacker Can Gain Elevated Access in Dell iDRAC10 via Race Condition", "updated": "2026-04-29T07:30:05.163783+00:00", "vendors": ["dell", "dell$PRODUCT$idrac10"], "weaknesses": ["CWE-522"]}