Executive Summary

CVE-2026-25058 is a critical security vulnerability in the Vexa transcription-collector service, versions prior to 0.10.0-260419-1910. The issue is an Insecure Direct Object Reference (IDOR) caused by an internal API endpoint that is exposed without any authentication or authorization checks.

Specifically, the endpoint `GET /internal/transcripts/{meeting_id}` returns transcript data for any meeting without requiring the requester to prove their identity or permission. This means an unauthenticated attacker can enumerate meeting IDs and retrieve confidential meeting transcripts belonging to any user.

The vulnerability arises because the endpoint lacks authentication dependencies and authorization checks to verify that the requesting user owns the meeting. Although the endpoint is hidden from API documentation, it remains accessible by default on port 8123.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to access and steal confidential business conversations, passwords, and personally identifiable information (PII) by exploiting an exposed internal endpoint without authentication or authorization.

Such unauthorized access and data breaches can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.

Specifically, the exposure of PII and confidential data without proper access controls violates principles of data confidentiality and security mandated by these regulations, potentially resulting in legal and financial consequences for affected organizations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to confidential business conversations, passwords, and personally identifiable information (PII).

An attacker can exploit this flaw to bypass authentication completely and steal sensitive meeting transcripts from any user by simply enumerating meeting IDs.

This leads to a multi-tenant data breach where the confidentiality of all users' meeting data is compromised, potentially causing significant privacy violations and business risks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the internal endpoint `GET /internal/transcripts/{meeting_id}` is accessible without authentication on the Vexa transcription-collector service.

You can attempt to enumerate meeting IDs by sending unauthenticated HTTP GET requests to the endpoint on the service port (default 8123) and observe if transcript data is returned.

• Use curl to test access to the endpoint for a specific meeting ID, for example:
• curl -v http://localhost:8123/internal/transcripts/1
• If the response returns transcript data without requiring authentication, the vulnerability is present.
• You can script enumeration of meeting IDs by incrementing the meeting_id in the URL and checking for valid responses.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Vexa transcription-collector service to version 0.10.0-260419-1910 or later, where this vulnerability is patched.

Until the upgrade can be applied, restrict network access to the service port (default 8123) to trusted users only, for example by firewall rules or network segmentation.

Alternatively, disable or block access to the internal endpoint `/internal/transcripts/{meeting_id}` to prevent unauthenticated access.

Implement authentication and authorization checks on the endpoint to ensure only authorized users can access meeting transcripts.

Useful 0 Not Useful 0