Security Advisory: Privilege Escalation Vulnerability in FlexNet Manager Suite 2025 R1

Summary

A security vulnerability has been identified in FlexNet Manager Suite 2025 R1 that could allow an authenticated user with read-only access to account settings to escalate their privileges to Administrator level. This is achieved by intercepting and modifying API requests during a save operation - the backend in 2025 R1 does not adequately validate that the user has sufficient privileges to change roles.

CVE-2026-4026 - Observation 1: Lack of access control leading to privilege escalation

Impact

An authenticated user with the "Configure operators of FlexNet Manager Platform" (read) permission could modify their own role to Administrator, gaining full control over the web application. This impacts the confidentiality, integrity, and availability of data managed by the platform.

Affected Version

FlexNet Manager Suite 2025 R1

Resolution

This vulnerability has been verified as already resolved in 2025 R2 (released December 2025). In 2025 R2, any attempt to modify a role via request interception is rejected, and the user's role remains unchanged. No separate hotfix will be issued for 2025 R1.

Upgrade Guidance

Customers currently running 2025 R1 or earlier should upgrade to 2025 R2 as soon as possible to remediate this vulnerability. If you need assistance with the upgrade process, please contact Flexera Support.