Skip to main content

Mesalvo Meona CVE-2026-0856

| EUVDEUVD-2026-31093 HIGH
Improper Access Control (CWE-284)
2026-05-20 ENISA GHSA-q549-3jgw-crc8
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 11:45 vuln.today

DescriptionCVE.org

Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.

AnalysisAI

Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user to gain access to the administrative panel due to improper access control enforcement. The flaw affects Meona Client Launcher Component through build 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020, and is tagged as an Authentication Bypass with no public exploit identified at time of analysis. The high CVSS score of 7.8 reflects full confidentiality, integrity, and availability impact once a normal user account is leveraged to escalate privileges.

Technical ContextAI

Mesalvo Meona is a clinical workflow and hospital information system used in healthcare environments, comprising a Client Launcher front-end component and a Server back-end component. The root cause is classified as CWE-284 (Improper Access Control), meaning the application fails to properly enforce authorization checks separating normal user roles from administrative roles. The CPE strings cpe:2.3:a:mesalvo:meona_client_launcher_component and cpe:2.3:a:mesalvo:meona_server_component identify the precise products in scope, and the issue manifests when the server-side authorization layer trusts client-side role context or fails to revalidate privileges before exposing the admin panel.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data - defenders should contact Mesalvo directly to obtain a fixed Client Launcher build superseding 19.06.2020 15:11:49 and a Server build superseding 2025.04 5+323020, and consult the disclosure write-up at https://seccore.at/blog/cves-meona/ for further technical detail. As compensating controls until a fix is confirmed, restrict network reachability of the Meona Server admin panel to a dedicated administrative VLAN or jump host (trade-off: legitimate remote admin workflows must be re-routed), enforce strict role review and remove unused low-privileged accounts to shrink the attacker pool (trade-off: operational overhead for HR/IT joiners-movers-leavers), enable detailed audit logging on admin-panel endpoints and alert on access by non-admin identities (trade-off: increased log volume and SIEM cost), and require step-up authentication or MFA for any admin-panel session if the platform supports it (trade-off: workflow friction for clinical staff). Avoid exposing the Meona web tier directly to the internet under any circumstances.

Share

CVE-2026-0856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy