CVE-2026-50213
Analyzed Analyzed - Analysis Complete
Account Enumeration via Predictable User IDs in Application

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639

Description
The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-50213
EUVD
EUVD-2026-34225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
acer connect_m6e_5g_firmware to m6e_ai_1.00.000019 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, users should apply any available patches or firmware updates as soon as they are released.

Additionally, securing devices with strong administrative passwords and restricting IPv6 traffic where possible can help reduce the risk of exploitation.

Executive Summary

This vulnerability involves the account validation endpoint /v1/User/validate, which returns detailed user profile data sheets. An attacker can exploit this by iterating through predictable identification strings to crawl and collect comprehensive user information.

Impact Analysis

The vulnerability can lead to unauthorized access to extensive user profile data, potentially exposing sensitive personal information. This can result in privacy breaches, identity theft, and other malicious activities due to the ease of crawling user data without authentication.

Compliance Impact

The vulnerability allows the account validation endpoint to return comprehensive user profile data sheets that can be accessed by iterating predictable identification strings. This exposure of detailed user data without proper access controls can lead to unauthorized data disclosure.

Such unauthorized disclosure of personal data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on personal data access and processing to protect user privacy and ensure data security.

Detection Guidance

This vulnerability involves the account validation endpoint /v1/User/validate returning comprehensive user profile data sheets that can be crawled by iterating predictable identification strings.

To detect this vulnerability on your network or system, you can attempt to access the /v1/User/validate endpoint with sequential or predictable user IDs to see if user profile data is returned without proper authorization.

A simple command using curl to test this could be:

  • curl -X GET http://[target-ip]/v1/User/validate?id=1
  • curl -X GET http://[target-ip]/v1/User/validate?id=2

By iterating over the id parameter, you can check if the endpoint returns user profile data without authentication, indicating the presence of the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart