CVE-2026-57953

Source
https://cve.org/CVERecord?id=CVE-2026-57953
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57953.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-57953
Published
2026-06-29T17:21:31.254Z
Modified
2026-07-16T03:31:10.777872428Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Mythic < 3.4.0.60 - Unauthorized Automation Workflow Modification via eventing_import_automatic_webhook Endpoint
Details

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.

Database specific
{
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57953.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/its-a-feature/mythic

Affected ranges

Type
GIT
Repo
https://github.com/its-a-feature/mythic
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:its-a-feature:mythic:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.4.0.60"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

2.*
2.1.18
v0.*
v0.0.3.1
v0.0.3.10
v0.0.3.11
v0.0.3.12
v0.0.3.13
v0.0.3.14
v0.0.3.15
v0.0.3.16
v0.0.3.17
v0.0.3.18
v0.0.3.19
v0.0.3.2
v0.0.3.20
v0.0.3.21
v0.0.3.22
v0.0.3.24
v0.0.3.25
v0.0.3.26
v0.0.3.27
v0.0.3.28
v0.0.3.29
v0.0.3.3
v0.0.3.31
v0.0.3.32
v0.0.3.33
v0.0.3.34
v0.0.3.35
v0.0.3.36
v0.0.3.37
v0.0.3.38
v0.0.3.39
v0.0.3.4
v0.0.3.40
v0.0.3.41
v0.0.3.42
v0.0.3.43
v0.0.3.44
v0.0.3.45
v0.0.3.46
v0.0.3.47
v0.0.3.48
v0.0.3.49
v0.0.3.5
v0.0.3.50
v0.0.3.51
v0.0.3.52
v0.0.3.53
v0.0.3.6
v0.0.3.7
v0.0.3.8
v0.0.3.9
v2.*
v2.2.13
v2.2.14
v2.2.7
v2.3.13
v2.3.7
v2.3.9
v3.*
v3.0.0
v3.1.0
v3.2.2
v3.2.20
v3.3.0.10
v3.3.0.100
v3.3.0.101
v3.3.0.102
v3.3.0.103
v3.3.0.104
v3.3.0.105
v3.3.0.106
v3.3.0.107
v3.3.0.108
v3.3.0.109
v3.3.0.11
v3.3.0.110
v3.3.0.111
v3.3.0.112
v3.3.0.113
v3.3.0.114
v3.3.0.115
v3.3.0.116
v3.3.0.117
v3.3.0.118
v3.3.0.119
v3.3.0.12
v3.3.0.120
v3.3.0.121
v3.3.0.122
v3.3.0.123
v3.3.0.124
v3.3.0.125
v3.3.0.126
v3.3.0.127
v3.3.0.128
v3.3.0.129
v3.3.0.13
v3.3.0.130
v3.3.0.131
v3.3.0.132
v3.3.0.133
v3.3.0.135
v3.3.0.136
v3.3.0.14
v3.3.0.15
v3.3.0.16
v3.3.0.17
v3.3.0.18
v3.3.0.19
v3.3.0.2
v3.3.0.20
v3.3.0.21
v3.3.0.22
v3.3.0.23
v3.3.0.24
v3.3.0.25
v3.3.0.26
v3.3.0.27
v3.3.0.28
v3.3.0.29
v3.3.0.31
v3.3.0.32
v3.3.0.33
v3.3.0.34
v3.3.0.35
v3.3.0.36
v3.3.0.37
v3.3.0.38
v3.3.0.39
v3.3.0.4
v3.3.0.40
v3.3.0.41
v3.3.0.42
v3.3.0.43
v3.3.0.44
v3.3.0.45
v3.3.0.46
v3.3.0.47
v3.3.0.48
v3.3.0.49
v3.3.0.5
v3.3.0.51
v3.3.0.52
v3.3.0.53
v3.3.0.54
v3.3.0.55
v3.3.0.56
v3.3.0.57
v3.3.0.58
v3.3.0.59
v3.3.0.60
v3.3.0.61
v3.3.0.62
v3.3.0.63
v3.3.0.64
v3.3.0.65
v3.3.0.66
v3.3.0.67
v3.3.0.68
v3.3.0.69
v3.3.0.7
v3.3.0.70
v3.3.0.71
v3.3.0.72
v3.3.0.73
v3.3.0.74
v3.3.0.75
v3.3.0.76
v3.3.0.77
v3.3.0.78
v3.3.0.79
v3.3.0.8
v3.3.0.80
v3.3.0.81
v3.3.0.82
v3.3.0.83
v3.3.0.84
v3.3.0.85
v3.3.0.86
v3.3.0.87
v3.3.0.88
v3.3.0.89
v3.3.0.9
v3.3.0.90
v3.3.0.91
v3.3.0.92
v3.3.0.93
v3.3.0.94
v3.3.0.95
v3.3.0.96
v3.3.0.97
v3.3.0.98
v3.3.0.99
v3.4.0.0
v3.4.0.1
v3.4.0.10
v3.4.0.11
v3.4.0.13
v3.4.0.14
v3.4.0.15
v3.4.0.16
v3.4.0.17
v3.4.0.18
v3.4.0.19
v3.4.0.2
v3.4.0.20
v3.4.0.21
v3.4.0.22
v3.4.0.23
v3.4.0.24
v3.4.0.25
v3.4.0.26
v3.4.0.27
v3.4.0.28
v3.4.0.29
v3.4.0.3
v3.4.0.30
v3.4.0.31
v3.4.0.32
v3.4.0.33
v3.4.0.34
v3.4.0.35
v3.4.0.36
v3.4.0.37
v3.4.0.38
v3.4.0.39
v3.4.0.4
v3.4.0.40
v3.4.0.41
v3.4.0.42
v3.4.0.43
v3.4.0.44
v3.4.0.45
v3.4.0.46
v3.4.0.47
v3.4.0.48
v3.4.0.49
v3.4.0.5
v3.4.0.51
v3.4.0.52
v3.4.0.53
v3.4.0.54
v3.4.0.55
v3.4.0.56
v3.4.0.57
v3.4.0.58
v3.4.0.59
v3.4.0.6
v3.4.0.7
v3.4.0.8
v3.4.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57953.json"