Dell ECS Hard-Coded Credentials Flaw CVE-2026-40636 Hits 9.8 CVSS

Executive Summary

Dell has disclosed two vulnerabilities in its ECS and ObjectScale enterprise storage platforms, one of which — CVE-2026-40636 — carries a CVSS base score of 9.8 (critical) due to the use of hard-coded credentials. An unauthenticated attacker with local access can exploit this flaw to gain filesystem access on affected systems. A second vulnerability, CVE-2026-35157 (CVSS 5.8), allows remote code execution via CSV injection in the web UI. Both flaws affect Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0. Dell released security updates on 2026-05-08 under advisory DSA-2026-047.

Technical Analysis

According to Dell's security advisory (DSA-2026-047), CVE-2026-40636 stems from hard-coded credentials embedded in the software of Dell ECS and ObjectScale. The National Vulnerability Database (NVD) rates the flaw at 9.8 on the CVSS v3.1 scale, indicating the highest severity tier for network-exploitable vulnerabilities with no privileges required and no user interaction. However, Dell's advisory notes that exploitation requires local access, which somewhat tempers the attack surface — an attacker must already have a foothold on the system or adjacent network access to leverage the hard-coded credentials. Once exploited, the vulnerability grants unauthorized filesystem access, potentially exposing stored object data or configuration files.

The second vulnerability, CVE-2026-35157, is described as an improper neutralization of formula elements in a CSV file — commonly known as CSV injection. This flaw resides in the web-based user interface of both platforms. An unauthenticated attacker with remote access can craft a malicious CSV export that, when opened in a spreadsheet application such as Microsoft Excel or LibreOffice Calc, executes arbitrary formulas. While the NVD assigns a CVSS score of 5.8 (medium), Dell's advisory explicitly states this can lead to remote code execution. The discrepancy likely reflects differing assumptions about the attack chain: the NVD score may consider the CSV injection as a data integrity issue, whereas Dell's assessment accounts for the downstream impact when a victim opens the crafted file.

Both vulnerabilities were reported to Dell through its coordinated disclosure process. The advisory does not name the researchers who discovered the flaws, nor does it provide proof-of-concept code or exploitation timelines. Dell's security bulletin, published May 8, 2026, is the primary source for technical details.

Mitigations & Recommendations

Dell has released fixed versions for both affected product lines. For Dell ECS, administrators should upgrade to version 3.8.1.8 or later. For Dell ObjectScale, the fix is included in version 4.3.0.0 and subsequent releases. Dell recommends applying these updates immediately, particularly for systems exposed to untrusted local users or accessible from broader network segments.

For CVE-2026-35157 specifically, organizations should also consider user-awareness training around CSV file handling from trusted administrative interfaces. Until patches are applied, limiting remote access to the ECS and ObjectScale web UI via firewall rules or VPN requirements can reduce the likelihood of exploitation. Given the 9.8 CVSS score of CVE-2026-40636, any deployment that allows local user accounts or shared infrastructure access should prioritize patching as a critical change window.