CVE-2026-50214
Analyzed Analyzed - Analysis Complete
Global API Token Authentication Bypass in Plan Service

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639

Description
The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-50214
EUVD
EUVD-2026-34228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
acer connect_m6e_5g_firmware to m6e_ai_1.00.000019 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists because the /v1/Plan service uses a single shared global API token for full administrative management. This means that anyone who obtains this token can create network access plans arbitrarily, including zero-cost plans, without any restrictions.

Impact Analysis

The impact of this vulnerability is severe because an attacker can use the shared global API token to create unlimited zero-cost network access plans. This could lead to unauthorized access, financial loss, and potential abuse of network resources.

Compliance Impact

The vulnerability allows arbitrary creation of zero-cost network access plans via a shared global API token, which implies a significant risk of unauthorized access and administrative control over the device.

Such unauthorized access and potential data exposure could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require strict access controls, data protection, and accountability measures to safeguard personal and sensitive information.

Exploitation of this vulnerability could result in unauthorized data access or manipulation, thereby violating confidentiality and integrity requirements mandated by these regulations.

Mitigation Strategies

To mitigate this vulnerability, users should immediately secure their devices by setting strong administrative passwords.

It is also recommended to restrict IPv6 traffic where possible to reduce exposure.

Users should apply the forthcoming firmware patches provided by Acer via the device management interface as soon as they become available.

Detection Guidance

This vulnerability involves the /v1/Plan service using a shared global API token for full administrative access, allowing arbitrary creation of zero-cost network access plans.

To detect exploitation attempts or presence of this vulnerability on your network or system, you should monitor for unusual API calls to the /v1/Plan endpoint, especially those that create or modify network access plans without proper authentication.

Since the vulnerability relates to unauthorized API token usage, inspecting network traffic for API requests containing the shared global token or anomalous plan creation requests can help identify exploitation.

Specific commands are not provided in the available resources, but general approaches include:

  • Using network traffic capture tools (e.g., tcpdump, Wireshark) to filter HTTP requests to the /v1/Plan endpoint.
  • Searching logs on the device or network for API calls involving the /v1/Plan service.
  • Checking for unexpected creation of zero-cost network access plans in device management interfaces.

Users are also advised to secure devices with strong administrative passwords and restrict IPv6 traffic where possible as preventive measures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart