SolarWinds Web Help Desk Unauthenticated File Upload

High

Synopsis

SolarWinds Web Help Desk contains an unauthenticated file upload vulnerability. A remote attacker can submit arbitrary file uploads to the affected host without authentication, allowing the attacker to consume all available disk space on the volume hosting the application and induce a denial-of-service condition.

Solution

Upgrade to SolarWinds Web Help Desk 2026.2 or later.

Additional References

https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-2_release_notes.htm

Disclosure Timeline

January 21, 2026: Tenable requests contact from SolarWinds. SolarWinds provides a link to a web page that has their PGP key. Tenable advises SolarWinds that the key appears to be expired. SolarWinds advises to send the advisory unencrypted.
January 22, 2026: Tenable sends the report. SolarWinds sends a path to upload the PoC file, Tenable uploads.
January 23, 2026: SolarWinds acknowledges they have received the PoC and are reviewing.
January 28, 2026: Tenable notices a 2026.1 release and asks SolarWinds if this bug was fixed in that release.
February 10, 2026: SolarWinds replies confirming the vulnerability and opens a new ticket.
February 25, 2026: Tenable asks SolarWinds for an update and realizes we cannot reply to the new ticket.
February 25, 2026: SolarWinds provides a new email thread and advises they are planning to fix this in the next release but do not currently have a date.
March 23, 2026: Tenable requests status update.
March 23, 2026: SolarWinds replies that they are targeting a 4/21 release date.
March 26, 2026: Tenable acknowledges, requests CVEs.
March 26, 2026: SolarWinds replies with information around publication.
April 2, 2026: Tenable replies and asks for a status update.
April 8, 2026: SolarWinds replies that they are having functional issues with the release and need to move the release date.
April 15, 2026: Tenable replies asking for expected release date.
April 24, 2026: SolarWinds asks to meet.
April 29, 2026: Tenable sends some times to meet.
May 1, 2026: Tenable and SolarWinds meet.
May 13, 2026: SolarWinds asks Tenable for an update.
May 14, 2026: Tenable responds that due to the extenuating circumstances, we can extend. Tenable asks for continued regular updates.
May 15, 2026: SolarWinds replies that they are on track.
May 29, 2026: SolarWinds replies that they are delayed until early June.
June 2, 2026: SolarWinds lets Tenable know that 2026.2 was released today.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]