Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
{
"cwe_ids": [
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57953.json",
"cna_assigner": "VulnCheck"
}{
"cpe": "cpe:2.3:a:its-a-feature:mythic:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.4.0.60"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}