CVE-2026-57953
⚪ Do wiadomości
Obejście autoryzacji w Mythic pozwala użytkownikom z rolą widza na nieautoryzowane modyfikacje.
CVSS
5.4
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 5.4 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-06-29 18:16:40 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-29 20:17:40 UTC |
Referencje
- https://github.com/its-a-feature/Mythic/commit/82648e8241b800a32e1882afc310e7316d98ebaa (disclosure@vulncheck.com)
- https://github.com/its-a-feature/Mythic/issues/565 (disclosure@vulncheck.com)
- https://github.com/its-a-feature/Mythic/releases/tag/v3.4.0.60 (disclosure@vulncheck.com)
- https://www.vulncheck.com/advisories/mythic-unauthorized-automation-workflow-modification-via-eventing-import-automatic-webhook-endpoint (disclosure@vulncheck.com)