CVE-2026-58446

Source
https://cve.org/CVERecord?id=CVE-2026-58446
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58446.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58446
Published
2026-06-30T21:05:15.949Z
Modified
2026-07-16T03:31:02.713724508Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint
Details

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTHUSERNAME/AUTHPASSWORD), is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a valid internal session token for the configured user. A remote unauthenticated attacker can invoke MCP tools such as generatepresentation, performing authenticated application actions, consuming the operators configured LLM API keys, and creating presentations in the operators instance. The Electron desktop build is not affected (MCP disabled).

Database specific
{
    "cwe_ids": [
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58446.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/presenton/presenton

Affected ranges

Type
GIT
Repo
https://github.com/presenton/presenton
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.8-beta"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.5.10
electron-v0.*
electron-v0.6.0-beta
electron-v0.6.2-beta
electron-v0.6.3-beta
electron-v0.7.0-beta
electron-v0.7.1-beta
electron-v0.7.2-beta
electron-v0.7.3-beta
electron-v0.8.6-beta
v0.*
v0.1.0-beta
v0.2.0-beta
v0.2.1-beta
v0.3.0-beta
v0.3.2-beta
v0.3.4-beta
v0.3.5-beta
v0.3.6-beta
v0.3.7-beta
v0.4.0-beta
v0.4.1-beta
v0.4.3-beta
v0.4.4-beta
v0.4.5-beta
v0.4.7-beta
v0.4.8-beta
v0.5.0-beta
v0.5.1-beta
v0.5.11-beta
v0.5.12-beta
v0.5.14-beta
v0.5.15-beta
v0.5.16-beta
v0.5.17-beta
v0.5.18-beta
v0.5.2-beta
v0.5.3-beta
v0.5.4-beta
v0.5.5
v0.5.6-beta
v0.5.7-beta
v0.5.8-beta
v0.5.9-beta
v0.7.3-beta
v0.8.0-beta
v0.8.1-beta
v0.8.2-beta
v0.8.3-beta
v0.8.4-beta
v0.8.5-beta
v0.8.6-beta
v0.8.8-beta

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58446.json"