If your organization uses SALTO ProAccess Space to manage door access across multiple departments, a new vulnerability demands your immediate attention. On July 16, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory warning that all versions of ProAccess Space prior to 6.13 contain an authorization bypass flaw. An authenticated operator with low-level credentials can cross logical partitions—breaking the very isolation meant to keep, say, the R&D lab separate from the executive suite.
Inside the Vulnerability: How a Simple Authorization Gap Opens Doors
CISA identifies the vulnerability as CVE-2026-11889, a classic case of CWE-639: Authorization Bypass Through User-Controlled Key. In plain terms, an attacker who already has a valid operator account can manipulate requests to access spaces outside their assigned partition. No administrative privileges are needed; a low-privileged user is enough. The attack requires network access to the ProAccess Space management interface, but no user interaction—such as clicking a link or opening a file—is needed during exploitation.
The severity scores reflect a serious but not catastrophic risk. Under CVSS v3.1, the flaw rates 6.5 (Medium), while the newer CVSS v4.0 gives it a 7.1 (High). Both assessments underscore that the vulnerability is network-reachable and demands only low privileges, but it absolutely requires authentication. The integrity impact is high because crossing partitions undermines the core purpose of logical separation, even though confidentiality and availability are unaffected.
The Narrow Impact: Only Partitioned Setups Need Apply
This is not a sky-is-falling alert for every SALTO customer. CISA’s advisory makes it crystal clear: only installations where the partitioning (or "tenancy") feature is actively enabled are vulnerable. If your ProAccess Space deployment operates as a single flat space without logical divisions, you can stop worrying—this bug does not touch you. Even for those using partitions, the attack vector is limited to authenticated operators, meaning an outsider can’t simply scan for and exploit the flaw from the internet without valid credentials.
That said, “authenticated attacker” doesn’t mean “trustworthy insider.” It could be an employee with minimal access who has gone rogue, a contractor whose credentials were lifted, or even a misconfigured account left behind after a role change. In organizations where partitioning is meant to enforce strict physical access boundaries—such as separating manufacturing floors from corporate offices or isolating classified labs—the consequences of a bypass can be severe.
Playing Defense: Why Authentication Isn’t Enough Here
CISA reports no known public exploitation of CVE-2026-11889 to date, a detail that might tempt some administrators to push the patch to the end of the queue. That would be a mistake. The advisory’s own CVSS vectors show that exploitation doesn’t require user interaction and can be executed over the network, making it a credible target for anyone who obtains operator credentials—whether through phishing, brute force, or an unprotected API.
Authentication is a prerequisite, but it’s also your first line of defense that you can actively strengthen. CISA recommends the usual full-court press: minimize network exposure by keeping ProAccess Space on a protected internal network, place control system devices behind firewalls and away from business networks, and apply least-privilege principles so that each operator account has only the absolute minimum access needed. These steps reduce the pool of potential attackers and limit how much damage they can do if they do slip past authentication.
Your Action Plan: Upgrade, Inventory, and Lock Down
CISA’s remediation order is unambiguous: upgrade all affected ProAccess Space instances to version 6.13. But before you fire up the installer, you need a clear picture of your environment. Here’s a practical checklist to guide you through the process.
First, inventory every ProAccess Space deployment in your organization. Record the exact version running on each. Then, for each installation, determine whether logical partitioning is enabled. This configuration check is crucial—an old version without partitioning is not vulnerable, and you don’t want to rush a patch on systems that don’t need it, potentially causing unnecessary disruption.
Once you’ve identified the systems that check both boxes (version earlier than 6.13 and partitioning on), schedule the upgrade through your normal change management process. The advisory doesn’t mandate a particular post-update restart or sequence, so follow the vendor’s installation documentation for your environment. After upgrading, immediately apply these hardening measures:
- Restrict operator accounts to the bare minimum required. If someone no longer needs access, revoke it.
- Isolate the ProAccess Space server on a dedicated management VLAN with strict firewall rules.
- If your operational needs don’t actually require partitions, disable the feature entirely. A single, unified space is inherently immune to this bug.
- For environments where strong tenant separation is non-negotiable, start evaluating separate, isolated ProAccess Space instances instead of relying solely on logical partitions. This isn’t a quick fix, but it’s the only way to guarantee that a future authorization flaw in one instance can’t spill into another.
After the Fix: Should You Keep Using Partitions?
The advisory doesn’t say partitions are inherently broken after 6.13; it says the vulnerability is patched. However, CISA pointedly recommends that organizations requiring “strong tenant separation” consider dedicated isolated instances. This is a subtle but important nudge: software-based logical barriers are only as trustworthy as the code that enforces them. If your security model depends on partitions to keep, say, a third-party vendor’s management console completely walled off from your internal R&D doors, you may want a harder boundary than what a single application can provide.
This isn’t a decision to agonize over before applying the patch. Upgrade first, restore your baseline security, and then engage your physical security and facilities teams in a conversation about whether your current architecture meets your long-term risk appetite. The answer might still be “yes, our partitions are good enough,” but the discussion is worth having now—especially if your industry deals with compliance mandates or sensitive assets.
What Comes Next: Access Control Under the Microscope
CVE-2026-11889 is a reminder that physical access control systems (PACS) are software-driven cyber-physical systems with all the attendant risks of any enterprise application. As these systems grow more networked and feature-rich, vulnerabilities like authorization bypasses will surface more often. CISA’s advisory, while narrowly scoped, gives every organization that manages door controllers a template for hardening: know your inventory, understand your feature configurations, keep software current, and never assume that a login prompt is a sufficient security boundary.
For now, the immediate task is clear. If you run SALTO ProAccess Space with partitions enabled and your version shows anything below 6.13, carve out a maintenance window. The patch is available, the exploit prerequisites are well-defined, and the guidance from CISA leaves little room for interpretation. Fix the bug, tighten your accounts, and then take a hard look at whether logical partitions truly deliver the isolation your site demands.