CVE-2026-57953
Received Received - Intake

Mythic Authorization Bypass via Spectator Role Access

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-57953
EUVD
EUVD-2026-40138

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
mythic mythic to 3.4.0.60 (exc)
its-a-feature mythic to 3.4.0.60 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57953 is an authorization bypass vulnerability in Mythic versions before 3.4.0.60. It allows authenticated users with the spectator role, which is intended to have read-only access, to perform unauthorized write operations. This happens because the eventing_import_automatic_webhook endpoint is incorrectly configured under middleware that permits spectator access.

Exploiting this flaw, attackers with the spectator role can create and delete automation workflows, making unauthorized modifications to operation automation configurations and EventGroups.

Impact Analysis

This vulnerability can impact you by allowing users who should only have read-only spectator access to modify critical automation workflows within your Mythic environment.

  • Unauthorized creation and deletion of automation workflows.
  • Unauthorized changes to operation automation configurations and EventGroups.
  • Potential disruption of critical automation workflows due to unauthorized modifications.

Although changes are scoped to the user's own operation, this still violates intended access controls and can lead to operational issues.

Detection Guidance

Detection of this vulnerability involves identifying unauthorized write operations performed by users with the spectator role on the eventing_import_automatic_webhook endpoint.

Since the vulnerability allows authenticated spectator-role users to create and delete automation workflows, monitoring access logs for POST or DELETE requests to the eventing_import_automatic_webhook endpoint by spectator users can help detect exploitation attempts.

Commands to check logs or network traffic might include:

  • Using grep or similar tools to search server logs for requests to the vulnerable endpoint, e.g., `grep "eventing_import_automatic_webhook" /var/log/mythic/access.log`
  • Filtering logs for HTTP methods indicating write operations, e.g., `grep -E "POST|DELETE" /var/log/mythic/access.log | grep "eventing_import_automatic_webhook"`
  • Checking database logs or audit trails for unexpected insertions or deletions related to automation workflows or EventGroups.
  • Monitoring network traffic for suspicious API calls to the eventing_import_automatic_webhook endpoint from spectator role accounts.
Mitigation Strategies

The primary mitigation step is to upgrade Mythic to version 3.4.0.60 or later, where this authorization bypass vulnerability has been fixed.

Until the upgrade can be applied, consider restricting access to the eventing_import_automatic_webhook endpoint to exclude spectator-role users by adjusting middleware or access control configurations.

Additionally, monitor and audit any changes to automation workflows and EventGroups to detect unauthorized modifications.

If possible, temporarily disable or limit the use of the vulnerable endpoint to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart