Progress MOVEit Transfer HTTPS Auth Bypass (v < 2025.1.3)
CVE-2026-8651 Published on July 8, 2026

IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer
Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.

NVD

Vulnerability Analysis

CVE-2026-8651 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Authentication Bypass by Spoofing

This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.


Products Associated with CVE-2026-8651

Want to know whenever a new CVE is published for Progress Moveit Transfer? stack.watch will email you.

 

Affected Versions

Progress MOVEit Transfer: