5.3
/ 10
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Description
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
Basic Information
ID
CVE-2026-57953
Source
VulnCheck
Published
Jun 29, 2026 at 17:21
Affected Product
Vendor
its-a-feature
Product
Mythic
Affected Versions
its-a-feature Mythic 0
CWE Classification
References
- github.com /its-a-feature/Mythic/releases/tag/v3.4.0.60
- github.com /its-a-feature/Mythic/issues/565
- github.com /its-a-feature/Mythic/commit/82648e8241b800a32e1882afc310e7316d98ebaa
- www.vulncheck.com /advisories/mythic-unauthorized-automation-workflow-modification-via-eventing-import-automatic-webhook-endpoint