CVE-2026-57913
Deferred Deferred - Pending Action
Unauthorized Access to Meeting Minutes in Johnson & Johnson ATMS

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: MITRE

Description
Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57913
EUVD
EUVD-2026-39644
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
johnson_and_johnson audit_tracking_management_system to 2026-04-21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows unauthorized users to view meeting minutes and transcripts.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information contained in meeting minutes and transcripts, potentially exposing confidential or proprietary data.

Compliance Impact

The vulnerability in Johnson & Johnson's Audit Tracking Management System (ATMS) allowed unauthorized access to confidential information, including meeting minutes, transcripts, and a list of 13,600 employees. Such unauthorized disclosure of sensitive personal and corporate data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.

Specifically, the exposure of employee data and confidential meeting content without proper authentication or authorization could violate principles of data confidentiality and integrity required by these standards.

The delayed response by Johnson & Johnson in addressing the vulnerability until after journalistic intervention may further exacerbate compliance risks, as timely remediation is often a requirement under such regulations.

Detection Guidance

The vulnerability in the Johnson & Johnson Audit Tracking Management System (ATMS) involves unauthenticated APIs that allow access to sensitive information by spoofing valid employee credentials and manipulating local storage.

To detect this vulnerability on your network or system, you can monitor for unauthorized API access attempts or unusual authentication bypass activities targeting the ATMS endpoints.

Specific commands are not provided in the available resources, but general detection methods could include:

  • Using network traffic analysis tools (e.g., Wireshark or tcpdump) to identify API calls without proper authentication headers.
  • Checking server logs for API requests that do not require valid tokens or credentials.
  • Using web application security scanners to test for unauthenticated API endpoints.
Mitigation Strategies

Immediate mitigation steps include ensuring that all API endpoints in the Audit Tracking Management System (ATMS) require proper authentication and authorization.

Specifically:

  • Implement token-based authentication instead of relying on hardcoded API keys or unauthenticated access.
  • Validate and verify employee credentials on every API request to prevent spoofing.
  • Restrict access to sensitive data such as meeting minutes and transcripts to authorized users only.
  • Monitor and audit API access logs regularly to detect suspicious activities.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart