Flexera One ITAM: Security vulnerability - Lack of access control leading to attachment file disclosure (CVE‑2026‑4027)

A security vulnerability has been identified in FlexNet Manager Suite that could allow unauthorized access to attachment files due to insufficient access control. This issue occurs when the application does not properly validate user permissions before allowing access to file attachments.

CVE‑2026‑4027 - Observation 1: Lack of access control leading to attachment file disclosure

Impact

An unauthorized user may be able to access attachment files without the required permissions. This could lead to unintended exposure of sensitive information, impacting the confidentiality of data managed by the platform.

Affected Version

FlexNet Manager Suite 2025 R1

FlexNet Manager Suite 2025 R2

Resolution

This vulnerability has been fixed for cloud environments and will be available to customers as part of the Flexera One ITAM May 2026 release. The fix ensures that proper access control validation is enforced before allowing access to attachment files.

For on‑premises customers, the fix will be available in FlexNet Manager Suite 2026 R1.

Upgrade Guidance

• Cloud customers will receive the fix automatically as part of the Flexera One ITAM May 2026 release
• On‑premises customers should plan to upgrade to 2026 R1 once available to remediate this vulnerability

If you need assistance with the upgrade process, please contact Flexera Support.

Security Advisory: Privilege Escalation Vulnerability in FlexNet Manager Suite 2025 R1

Summary

A security vulnerability has been identified in FlexNet Manager Suite 2025 R1 that could allow an authenticated user with read-only access to account settings to escalate their privileges to Administrator level. This is achieved by intercepting and modifying API requests during a save operation - the backend in 2025 R1 does not adequately validate that the user has sufficient privileges to change roles.

CVE-2026-4026 - Observation 1: Lack of access control leading to privilege escalation

Impact

An authenticated user with the "Configure operators of FlexNet Manager Platform" (read) permission could modify their own role to Administrator, gaining full control over the web application. This impacts the confidentiality, integrity, and availability of data managed by the platform.

Affected Version

FlexNet Manager Suite 2025 R1

Resolution

This vulnerability has been verified as already resolved in 2025 R2 (released December 2025). In 2025 R2, any attempt to modify a role via request interception is rejected, and the user's role remains unchanged. No separate hotfix will be issued for 2025 R1.

Upgrade Guidance

Customers currently running 2025 R1 or earlier should upgrade to 2025 R2 as soon as possible to remediate this vulnerability. If you need assistance with the upgrade process, please contact Flexera Support.

2025 R2 Release for FlexNet Manager for Engineering Applications (FNMEA)

We are excited to announce the 2025 R2 release of FlexNet Manager for Engineering Applications (FNMEA). Thank you to our customers for your continued feedback, which helps to shape and improve our product.

In this release, we have introduced the following key features and enhancements:

New Features

Auto-delete old FNM classic reports

Enhanced role based access for license server admin and reporting

Configurable standardized date format for classic reports

Changes from Previous Releases

FlexNet Agent now supports Linux ARM64 (Aarch64)

Ability to change default domain on login page

Apache Struts version upgrade

Highlights:

• Auto‑Delete Old FNM Classic Reports: Automatically purge classic reports older than a configurable retention period to keep storage lean and reporting clean.
• Enhanced Role‑Based Access for License Server Admin & Reporting: Granular permissions per admin set, plus a new read‑only role for the Activity tab, aligning access with roles while improving visibility for non‑admin stakeholders.
• Configurable, Standardized Date Format for Classic Reports: Choose standardized vs. legacy date formats to stabilize scripts and automations without breaking existing workflows.
• FlexNet Agent Support for Linux ARM64: Extend inventory and license compliance to modern ARM‑based servers and cloud infrastructure.
• Change Default ‘flexnet’ Domain on Login Page: Usability tweak that reduces login confusion and minimizes automation breakages.
• Security Upgrade: Apache Struts: Framework updated to address known vulnerabilities and strengthen compliance posture.

For more details, refer to the Release Notes and updated documentation available in the Flexera Product Documentation.

FNMEA 2025 R2 is now available for download from the Product and License Center in the Flexera Community.

2025 R2 Release for FlexNet Manager Suite (FNMS) - Release Date 3rd December 2025

We’re excited to announce our FlexNet Manager Suite 2025 R2 release. It is available for download from the Product and License Center in the Flexera Community.

Release Highlights

• Jamf Adapter enables the collection of inventory data from both Jamf Cloud and Jamf On-Premises environments. This data is imported into FlexNet Manager Suite, allowing organizations that use Jamf to manage macOS devices to seamlessly integrate their inventory with FlexNet Manager Suite.
• Design Mode streamlines working with grid data in FlexNet Manager Suite by allowing you to filter and search data in a grid without triggering a search after every change, resulting in faster, smoother interactions, and avoiding unnecessary reloads.
• Enhanced Accessibility introduces significant accessibility enhancements that comply with WCAG 2.1 Level A/AA, Section 508, and EU EN 301 549 standards. These updates reinforce our commitment to inclusivity, ensure regulatory compliance, and deliver a better experience for all users. Key improvements include enhanced screen reader support, improved contrast, responsive zoom functionality, and full keyboard navigation.
• Improved visibility for inactive users enhances the Consumption tab view to include inactive users who are still assigned a license. These users will now appear in the Consumption tab with a consumption value of 0, indicating that while they remain assigned, they do not actively consume due to their inactive status.
• Enhanced Reporting for Installed Applications on Containers introduced two key improvements: (1) Containers and related data has been added to the Report Builder. (2) A new built-in report "Container Installation Details Report" for container installations.
• Enhanced Active Directory (AD) user import and reconciliation process in FlexNet Manager Suite to improve reliability, scalability, and performance, especially benefiting customers who actively use AD imports.
• Further License key management enhancements - View license keys associated with specific users from User Properties. A new License Keys tab has been added to the User Properties page. This tab displays all license keys associated with the user, either because they are the primary user of a device with an assigned key, or because the key is directly assigned to them under a user license.
• Accurate IBM licensing where duplicate device records exist ensures greater accuracy and reliability to our IBM license reconciliation process in environments where duplicate device records exist in the inventory database.
• Enhanced Oracle Java Worksheet report with several new columns to enhance insights and improve filtering capabilities related to the identified Java install base.
• The Application Object has been added to the Business Adapter to support bulk updates of applications including custom properties.

This release comes together with a newer version of the FlexNet Inventory Agent and Inventory Beacon.

Here is a list of relevant changes:

• FlexNet Inventory Agent version 25.0.0 changes for 2025 R2
• Inventory Beacon 25.0.0 changes for 2025 R2
• Changes to supported operating systems and compatibility with other products: Several operating system versions have been added to the list of supported operating systems on FlexNet Inventory Agent. More product versions have been added to the compatibility list of FlexNet Manager Suite with other products.

Feature By Release for FlexNet Manager Suite 2025 R2

2025 R1 Release for FlexNet Manager Suite (FNMS)

We’re excited to announce our FlexNet Manager Suite 2025 R1 release. It is now available for download from the Product and License Center in the Flexera Community.

Release Highlights

• Nutanix Acropolis Hypervisor (AHV) VM inventory collection: FlexNet Manager Suite now supports the discovery and inventory of Nutanix Acropolis Hypervisor (AHV), allowing the identification and collection of VM-Host and Host-Cluster relationships hosted on Nutanix servers managed by Nutanix.
• New Microsoft 365 GCC High Adapter for US Government customers: The new Microsoft 365 GCC High Adapter is provided to allow US Government customers to import data to FlexNet Manager Suite from Microsoft 365 / Microsoft Azure Government environments. The data collected will be used to calculate license consumption, and gives US Government customers visibility of their Microsoft 365 estate.
• Accessibility Improvements: Accessibility enhancements have been made to ensure compliance with WCAG 2.1 standards. The updates include both visible and behind-the-scenes changes to the FlexNet Manager Suite user interface in the browser for Responsive Layout, Consistent Navigation Concept, Enhanced Keyboard Usability, WCAG-Compliant Contrast, and Improved Screen Reader Support.
• CyberArk support for managing third party inventory adapters: This enhancement addresses STIG compliance, allowing government customers to leverage CyberArk for credential handling across domains and to provide secure integration for third party inventory adapters in FlexNet Manager Suite.
• Oracle Cloud Infrastructure (OCI) adapter can detect running instances: The Oracle Cloud Infrastructure (OCI) adapter has been enhanced to enable the extraction of running instances from Oracle Cloud Infrastructure and their import into FlexNet Manager Suite. This update builds on the previous functionality for extracting Autonomous Database Instances.
• Support for Oracle Cloud Infrastructure (OCI) as a default cloud service provider detected by inventory agents: OCI is detected as a default CSP to ensure comprehensive inventory management across all major cloud service providers.
• Licence key management and usability enhancement: This enhancement introduces several UI improvements that simplify license key management and assignment to users and devices including bulk import via csv files or Business Adapter Studio.
• New columns showing the total number of virtual machines (VMs) with operating system variant added to the Cluster reporting object in Report Builder: The Report Builder has been further enhanced to report on the total number of virtual machines (VMs) with operating system variant (Windows, SUSE Linux, RHEL) for each host and its parent cluster, enabling more accurate license consumption calculations.
• VMware vSAN inventory now collected and recognized: Broadcom VMware vSAN is now collected and recognized as VMware inventory. The VMware Inventory page has been updated with the following new properties: Cluster name, Cluster Required vSAN Capacity (The total number of TiBs (Tebibytes) used by vSAN datastores in the cluster), and Host required vSAN capacity (TiBs).
• Enhanced Tanium adapter to support cloud properties: The Tanium adapter has been enhanced to support cloud properties. With this enhancement, users can bring in custom fields and usage data from Tanium, which will be normalized and made available in FlexNet Manager Suite.

This release comes together with a newer version of the FlexNet Inventory Agent and Inventory Beacon.

Here is a list of relevant changes:

• FlexNet Inventory Agent version 24.0.0 changes for 2025 R1
• Inventory Beacon 24.0.0 changes for 2025 R1

Changes of supported versions:

• Changes to Supported Microsoft SQL Versions: FlexNet Manager Suite will discontinue support for Microsoft SQL Server versions that have reached the end of Microsoft's mainstream support to leverage the enhanced features, performance optimization, bug fixes, and security updates available in newer, actively supported Microsoft SQL Server versions.
• Microsoft Internet Information Services (IIS) 10 Requirement for New Security Features: As part of ongoing penetration testing and security enhancements, FlexNet Manager Suite has introduced new security features that are supported exclusively on IIS 10
• Changes to supported operating systems and compatibility with other products: Several operating system versions have been added to the list of supported operating systems on FlexNet Inventory Agent. More product versions have been added to the compatibility list of FlexNet Manager Suite with other products.

For the full lists, see the Prerequisite Software topic and the Compatibility with Other Products topic in System Requirements and Compatibility.

Feature By Release for FlexNet Manager Suite 2025 R1

2025 R1 Release for FlexNet Manager for Engineering Applications (FNMEA)

We are excited to announce the 2025 R1 release of FlexNet Manager for Engineering Applications (FNMEA). Thank you to our customers for your continued feedback, which helps to shape and improve our product.

In this release, we have introduced the following key features and enhancements:

·      Enhanced Skip Mode for RL Parser: Improves resilience by allowing uninterrupted parsing of corrupted report logs, with detailed error logging for easy troubleshooting.

·      Pull-Based RL Parser Agent: Agents now autonomously retrieve configurations and logs, reducing admin server load and improving scalability.

·      API Support for Configuration and Scheduling: New RESTful APIs enable automated RL Parser configuration and log rotation scheduling, supporting CI/CD workflows and reducing manual effort.

·      Export/Import Report Configurations: Easily migrate, back up, or replicate classic report configurations across environments, simplifying upgrades and setup.

·      Configurable lmnewlog Timeout: Set time limits for log rotation to prevent failures in environments with large logs or multiple license servers.

Changes from Previous Releases

·      Apache Struts Upgrade: Upgraded from version 2.5.33 to 6.7.0 to address security vulnerabilities.

·      Spring Framework Upgrade (Agent): Spring Framework updated from version 5.3.33 to 5.3.39 to enhance security.

For more details, refer to the Release Notes and updated documentation available in the Flexera Product Documentation.

FNMEA 2025 R1 is now available for download from the Product and License Center in the Flexera Community.

FlexNet Inventory Agent for Unix-like platforms Improvement Update IOK-1085762

Executive Summary

The Flexera Inventory Agent for Unix-like platforms, versions 2023 R1 (20.1.0) and 2023 R2 (21.0.0), may encounter high memory usage due to an unexpectedly large file evidence cache. This issue has been addressed for the affected versions, and a hotfix has been released and is available for download through the PLC.

Cause

This issue was caused by the unexpectedly large file evidence cached during the file scanning process, which is then processed by the inventory agent on Unix-like supported operating systems.

Resolution

Flexera has released an update for the FlexNet Inventory Agent version 2023 R2.3 for Unix-like supported platforms, addressing the performance issue. This update includes other improvements and applies to versions 2023 R1 and 2023 R2. For more details, refer to the agent change log.

Available for download

The updated version of the Flexera Inventory Agent is available for download via the PLC under the FNMS 2023 R1 and FNMS 2023 R2 releases.

Please download the updated FlexNet inventory agent version 2021 R2.3, available through the Product and License Center (Flexera Community > More > Product and License Center). Updates are available for inventory agent versions 2023 R1 and 2023 R2 of FlexNet Manager Suite for On-Premises.

How to install update

The Flexera Inventory Agent update should be deployed to both the web application and inventory servers. For deployment instructions, please refer to the readme.txt file included in the update.

Single server FlexNet Manager Suite implementation

1. Web application server + inventory server combined (apply the update once)

Multi-server FlexNet Manager Suite implementation

1. Web application server (apply update)
2. Inventory server (apply update)

Inventory agent for automatic deployment

To enable auto-upgrade using FlexNet Manager Suite, you can set the version to deploy to 21.3.0 and upgrade mode and platform options to an appropriate mode and platform you would like to upgrade.

 Applies to

FlexNet Manager Suite On-Premises version 2023 R1 and 2023 R2.