Skip to main content

DecoCMS Mesh CVE-2025-14660

LOW
Incorrect Privilege Assignment (CWE-266)
2025-12-14 cna@vuldb.com
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:46 vuln.today

DescriptionCVE.org

A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component.

AnalysisAI

Improper access controls in DecoCMS Mesh up to 1.0.0-alpha.31 allow remote attackers to manipulate the domain argument in the createTool function of the Workspace Domain Handler, resulting in unauthorized information disclosure. The vulnerability requires high attack complexity and has published exploit code available, though real-world exploitation appears difficult. CVSS score of 2.9 reflects low severity with limited confidentiality impact, while EPSS scoring at 25th percentile suggests minimal real-world exploitation probability.

Technical ContextAI

The vulnerability exists in the Workspace Domain Handler component, specifically within the createTool function located at packages/sdk/src/mcp/teams/api.ts. The root cause is classified as CWE-266 (Improper Privilege Management), indicating the function fails to properly validate or enforce access controls when processing the domain argument. This allows callers to supply arbitrary domain values that bypass intended authorization checks. The DecoCMS Mesh SDK provides API abstractions for workspace and team management; the affected createTool function likely constructs tool instances without adequate domain isolation, enabling lateral access or information leakage across domain boundaries.

Affected ProductsAI

DecoCMS Mesh versions up to and including 1.0.0-alpha.31 are affected. The vulnerable component is the Workspace Domain Handler in the SDK package (packages/sdk/src/mcp/teams/api.ts). No CPE string was provided in the source data; affected software can be identified via GitHub at https://github.com/decocms/mesh.

RemediationAI

Vendor-released patch: upgrade DecoCMS Mesh to version 1.0.0-alpha.32 or later, which addresses the improper access control in the createTool function. The patch is available at https://github.com/decocms/mesh/releases/tag/runtime-v1.0.0-alpha.32 and corresponds to commit 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. Users should apply this update to all instances of DecoCMS Mesh SDK in use. If immediate patching is not feasible, implement network segmentation to restrict access to the createTool API endpoint or disable workspace domain-switching features until patched, though these controls are not formally recommended by the vendor and may impact functionality.

Share

CVE-2025-14660 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy