Comet Backup Server Flaw Exposes Remote Customer Data

A critical security flaw has disrupted the enterprise backup landscape this week. Specifically, a severe Comet Backup RCE vulnerability exposes server installations to full compromise. This flaw, tracked as CVE-2026-32999, carries an alarming CVSS score of 9.1. Furthermore, the security loophole impacts all product versions prior to 26.4.3 and 26.5.0. Consequently, self-hosted administrators must act immediately to safeguard their sensitive infrastructure.

Exploiting the Branding Mechanism

The underlying issue stems directly from specific administrative branding permissions. For instance, a tenant administrator can execute malicious code on behalf of the cometd process. This exploitation occurs when the administrator uploads custom .dll or .so executables for codesigning. Subsequently, the attacker generates a malicious backup-tool client to compromise the platform. As a result, the malicious actions easily break through established tenancy boundaries.

Serious Data Security Impact

The fallout from an attack can be highly devastating for a business. Firstly, the threat actor gains full access to critical user data in the config.cfg file. Additionally, the hacker can harvest backed up data from remote devices containing the backup-tool. Attackers also maintain the ability to stop, replace, or completely remove the Comet Server installation. Moreover, the exploit permits code execution on behalf of a privileged user on any connected endpoint. Therefore, the Comet Backup RCE vulnerability presents a profound risk to data privacy.

Recommended Remediation Steps

Fortunately, the vendor has already initiated swift defensive measures. The engineering team has fully upgraded all Comet Hosted servers, so those administrators require no action. However, self-hosted deployment teams must deploy the official CVE-2026-32999 patch manually. Specifically, you should upgrade your local instances to version 26.4.3, 26.5.0, or higher immediately. You can securely obtain the updated installation files through the official download portal. Ultimately, timely patching remains your best defense against active server compromise.