Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
References
Configurations
History
30 Jun 2026, 15:56
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:its-a-feature:mythic:*:*:*:*:*:*:*:* | |
| First Time |
Its-a-feature mythic
Its-a-feature |
|
| References | () https://github.com/its-a-feature/Mythic/commit/82648e8241b800a32e1882afc310e7316d98ebaa - Patch | |
| References | () https://github.com/its-a-feature/Mythic/issues/565 - Issue Tracking | |
| References | () https://github.com/its-a-feature/Mythic/releases/tag/v3.4.0.60 - Release Notes | |
| References | () https://www.vulncheck.com/advisories/mythic-unauthorized-automation-workflow-modification-via-eventing-import-automatic-webhook-endpoint - Third Party Advisory |
29 Jun 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-29 18:16
Updated : 2026-06-30 15:56
NVD link : CVE-2026-57953
Mitre link : CVE-2026-57953
CVE.ORG link : CVE-2026-57953
JSON object : View
Products Affected
its-a-feature
- mythic
CWE
CWE-863
Incorrect Authorization
