Pre-Auth Access-Control Bypass in BeyondTrust Remote Support and PRA (CVE-2026-40138)
Vulnerability Overview
CVE-2026-40138 is a critical pre-authentication vulnerability in the authentication subsystem of BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). Per the vendor's CVE record, improper validation of authentication data may allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance, including accounts with elevated privileges. It is scored CVSS v4.0 9.2 (Critical). Two qualifiers materially shape the real-world risk and are worth stating up front: the CVSS vector indicates high attack complexity (AC:H/AT:P), and exploitation requires a specific authentication configuration to be enabled.
This CVE was published on July 6, 2026, and at the time of writing the deep technical details, the exact affected and fixed build numbers, and the corresponding BeyondTrust advisory identifier were not yet broadly available. Treat the specifics below as directional and confirm affected versions and patched builds against BeyondTrust's official security advisory before acting.
Why BeyondTrust RS and PRA Are High-Value Targets
Remote Support and Privileged Remote Access sit at the center of privileged access for a large number of enterprises. BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including a large share of the Fortune 100, which makes any pre-authentication flaw in these appliances a high-priority target for capable adversaries. The history reinforces the point: in 2024, the China-linked Silk Typhoon group exploited BeyondTrust RS zero-days (CVE-2024-12356 and CVE-2024-12686) in an intrusion later connected to the compromise of the U.S. Treasury, and in early 2026 a separate critical pre-auth RCE (CVE-2026-1731) came under active exploitation. A tool built to broker privileged access is, by design, a shortcut to everything it protects.
Technical Analysis
Based on the published description, CVE-2026-40138 is an authentication flaw rather than a memory-safety or injection bug: the authentication subsystem does not correctly validate authentication data, and that gap lets an attacker defeat access controls without valid credentials. The stated impact, unauthorized access to the appliance including elevated-privilege accounts, places this in the same dangerous class as an authentication bypass, where the attacker ends up authenticated as someone they are not.
The CVSS vector adds important texture. PR:N and UI:N confirm the pre-auth, no-interaction nature, and the network attack vector (AV:N) means it is reachable remotely. At the same time, AC:H (high attack complexity) and AT:P (attack requirements present) signal that exploitation is not a trivial single request; it depends on conditions an attacker must meet or engineer. The vendor's explicit note that exploitation requires a specific authentication configuration to be enabled is the concrete expression of those requirements: environments that do not run that configuration are not in the exploitable path. Detailed mechanics were not public at the time of writing, which is consistent with responsible disclosure practice of withholding specifics while defenders patch.
Am I Affected?
Both Remote Support and Privileged Remote Access are named as affected, but the precondition matters: the risk concentrates on deployments that have the relevant authentication configuration enabled. Because exact affected and fixed build numbers were not yet widely published, the correct move is to open BeyondTrust's official advisory for CVE-2026-40138, confirm whether your version and configuration fall in scope, and identify the patched build for your product line. As a general rule for these appliances, SaaS instances are typically remediated server-side by BeyondTrust, while self-hosted customers must apply the patch themselves unless they are enrolled in automatic updates through the /appliance interface.
Mitigation & Remediation
Guidance for a critical pre-auth flaw in a privileged-access appliance, pending the specifics in BeyondTrust's advisory:
- Apply the vendor patch. Confirm the fixed build in BeyondTrust's advisory and update. Self-hosted RS and PRA customers should patch manually if they are not subscribed to automatic updates, and older releases may need an interim upgrade before the fix can be applied, as with prior BeyondTrust advisories.
- Review the triggering authentication configuration. Since exploitation depends on a specific auth configuration being enabled, verify whether that configuration is active in your environment. If it is not required, consider disabling it until patched, guided by the vendor advisory.
- Restrict network exposure. Limit reachability of RS and PRA administrative and public interfaces to trusted networks. These appliances should not be broadly internet-exposed beyond what the service genuinely requires.
- Hunt and monitor. Given BeyondTrust's history of exploited pre-auth bugs, review authentication logs for anomalous or unexpected privileged logins, watch for new or modified administrator accounts, and treat any sign of unauthorized access as a potential incident.
The Bigger Picture
CVE-2026-40138 continues a hard pattern for privileged remote access technology: the very systems organizations deploy to control and audit sensitive access keep surfacing critical pre-authentication flaws, and attackers keep prioritizing them because a single bypass can unlock an entire estate. The mitigating factors here, high attack complexity and a configuration-dependent precondition, mean this is not a spray-and-pray mass-exploitation scenario in the way a simple unauthenticated RCE would be. That is a reason to patch deliberately, not a reason to wait. Inventory your RS and PRA instances, confirm the affected configuration, apply the fix, and keep these appliances on a short patch leash, because the blast radius of the thing that guards privileged access is, by definition, large.