BeyondTrust BT26-03: Critical and High-Severity Flaws in Remote Support and Privileged Remote Access
BeyondTrust advisory BT26-03, issued on July 6th, 2026, describes multiple new vulnerabilities in BeyondTrust Remote Support (RS) and BeyondTrust Privileged Remote Access (PRA). The vulnerabilities include two critical flaws exploitable without authentication and additional high-severity issues in network communication and web application components. All the flaws require specific configurations for exploitation, but BeyondTrust has not disclosed the configuration details.
According to BeyondTrust, the issues were found through internal AI-driven vulnerability research using publicly available AI models, and they were fixed before exploitation. The vendor also claims that the flaws were not exploited or known outside the company prior to remediation.

There is no evidence that any of the CVEs have been exploited in the wild, and no public proof-of-concept (PoC) exploits have been published. CISA has added three vulnerabilities affecting BeyondTrust RS and PRA to its KEV Catalog since late 2024, indicating that the products are popular targets for attackers. CVE-2026-1731 was added in early 2026 and is associated with ransomware attacks. Numerous national CERT agencies have issued alerts [1][2][3][4][5][6][7][8][9], indicating high global risk.

OPENVAS ENTERPRISE FEED includes a remote banner version check covering CVE-2026-40138, CVE-2026-40140, and CVE-2026-40141 in BeyondTrust PRA, and a separate remote banner version check for CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, and CVE-2026-40141 in BeyondTrust RS. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.
Vulnerabilities Disclosed in the BeyondTrust BT26-03 Advisory
The BeyondTrust BT26-03 advisory covers two critical and two high-severity CVEs across two products: BeyondTrust RS and PRA. There is no evidence of exploitation in the wild, and no publicly available PoC exploits exist for any of the CVEs disclosed in BT26-03. All of the flaws have been assigned moderate EPSS scores: 34th – 47th percentiles.
The four CVEs disclosed in BeyondTrust BT26-03, each shown with its CVSS severity band and EPSS exploitation-probability score
An improper neutralization of special elements in data-query logic [CWE-943] flaw in a web application component of BeyondTrust RS and PRA. An authenticated attacker with specific permissions could access or manipulate resources and data outside the intended authorization boundary.
An improper authentication [CWE-287] flaw in BeyondTrust RS. A remote, unauthenticated attacker could bypass access controls when a specific authentication configuration is enabled, which BeyondTrust does not publicly identify.
An improper authentication [CWE-287] flaw in BeyondTrust RS and PRA. A remote, unauthenticated attacker could bypass access controls and reach elevated accounts when a specific authentication configuration is enabled, which BeyondTrust does not publicly identify.
An uncontrolled resource consumption [CWE-400] flaw in the network communication subsystem of BeyondTrust RS and PRA. A remote, unauthenticated attacker could trigger a denial-of-service and disrupt appliance availability.
Affected Products and Versions
BeyondTrust states that all cloud-hosted RS and PRA instances were patched as of April 21st, 2026. For self-hosted deployments, the vendor directs customers to apply the April security rollup patch or upgrade to the fixed product versions. The supplied evidence identifies RS 25.3.2 and earlier and PRA 25.3.2 and earlier as affected. BeyondTrust provides no workarounds for the vulnerabilities.
BeyondTrust Remote Support (RS) is an enterprise-grade remote support tool used by IT service desks, help desks, and support teams to connect to and control remote systems and devices. In operational terms, that means the product often sits on a path used for remote troubleshooting, administrative support, and endpoint interaction.
BeyondTrust Privileged Remote Access (PRA) is used to manage remote access to critical systems for privileged users and third-party vendors. The product includes session monitoring, auditing, recording, and least-privilege controls. BeyondTrust also describes the B Series Appliance as the central communication point for secure remote access, handling session brokering, authentication, logging, auditing, and encryption.
Start Your Free Trial
The OPENVAS ENTERPRISE FEED includes remote banner version checks for CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, and CVE-2026-40141 across BeyondTrust RS [1] and PRA [2]. Grab a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.
Summary
BT26-03 consolidates four confirmed vulnerabilities across BeyondTrust Remote Support and BeyondTrust Privileged Remote Access. The most important issues are the two critical pre-authentication flaws, followed by the high-severity vulnerabilities in the network communication and web application components. Although none of the CVEs are known to have been exploited in the wild and no public PoC exploit exists, CISA has added three vulnerabilities affecting BeyondTrust RS and PRA to its KEV Catalog since late 2024. CVE-2026-1731 was added in early 2026 and is associated with ransomware attacks. Numerous national CERT agencies have issued alerts, indicating high global risk. Greenbone’s OPENVAS ENTERPRISE FEED provides remote banner version checks for the BT26-03 CVEs, helping defenders identify affected BeyondTrust RS and PRA appliances and prioritize remediation.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.



