CVE-2026-1290
📋 TL;DR
CVE-2026-1290 is an authentication bypass vulnerability in Jamf Pro that allows attackers to circumvent authentication mechanisms without valid credentials. This affects Jamf Pro versions 11.20 through 11.24, potentially impacting organizations using these versions for Apple device management.
💻 Affected Systems
- Jamf Pro
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Jamf Pro environment allowing unauthorized access to all managed Apple devices, deployment of malicious configurations, data exfiltration, and lateral movement within the network.
Likely Case
Unauthorized access to Jamf Pro console leading to unauthorized device management, policy changes, or deployment of unwanted software to managed devices.
If Mitigated
Limited impact if network segmentation, strong access controls, and monitoring are in place to detect anomalous authentication attempts.
🎯 Exploit Status
Authentication bypass vulnerabilities typically have low exploitation complexity once the bypass method is understood. No public exploit code is currently known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.24.0 or later
Vendor Advisory: https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-11.24.0/page/Resolved_Issues.html
Restart Required: Yes
Instructions:
1. Backup current Jamf Pro configuration and database. 2. Download Jamf Pro 11.24.0 or later from Jamf account portal. 3. Follow Jamf's upgrade documentation for your deployment type (on-premise or cloud). 4. Restart Jamf Pro services after upgrade completion.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to Jamf Pro management interface to trusted IP addresses only
# Use firewall rules to restrict access to Jamf Pro ports (typically 8443 for HTTPS)
Enhanced Monitoring
allImplement additional authentication logging and alerting for failed and successful logins
# Configure Jamf Pro audit logging and forward logs to SIEM
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Jamf Pro from untrusted networks
- Enable multi-factor authentication for all administrative accounts and monitor for authentication anomalies
🔍 How to Verify
Check if Vulnerable:
Check Jamf Pro version in web interface (Settings > Global Management > Status) or via API endpoint /api/v1/jamf-pro-versionCheck Version:
curl -k -u username:password https://jamf-server:8443/api/v1/jamf-pro-versionVerify Fix Applied:
Verify version is 11.24.0 or later and test authentication mechanisms work correctly📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Successful logins from unexpected IP addresses
- Authentication bypass attempts in web server logs
Network Indicators:
- Unusual API calls to Jamf Pro without proper authentication headers
- Traffic to Jamf Pro from unauthorized sources
SIEM Query:
source="jamf-pro" AND (event_type="authentication" AND result="success" AND user_agent="unusual") OR (http_status=200 AND uri="/api/*" AND auth_header="missing")