Vexa’s unauthenticated internal transcript endpoint exposed by default_CVE-2026-25058

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.

Basic Information

ID CVE-2026-25058

Source GitHub_M

Published Apr 20, 2026 at 16:03

Affected Product

Vendor Vexa-ai

Product vexa

Version < 0.10.0-260419-1910

Affected Versions Vexa-ai vexa < 0.10.0-260419-1910

CWE Classification

CWE-306 CWE-862

References

github.com /Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh

{
    "lastseen": "",
    "description": "Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.",
    "published": "2026-04-20T16:03:06.639Z",
    "modified": "2026-04-20T16:03:06.639Z",
    "type": "cve",
    "title": "Vexa's unauthenticated internal transcript endpoint exposed by default",
    "source": "GitHub_M",
    "references": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh",
    "id": "CVE-2026-25058",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306",
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "Vexa-ai vexa < 0.10.0-260419-1910",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vexa",
    "version": "< 0.10.0-260419-1910",
    "vendor": "Vexa-ai",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}