Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
AnalysisAI
Privilege escalation in Mesalvo Meona Client Launcher and Server components allows a low-privileged authenticated user to gain access to the administrative panel due to improper access control enforcement. The flaw affects Meona Client Launcher Component through build 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020, and is tagged as an Authentication Bypass with no public exploit identified at time of analysis. The high CVSS score of 7.8 reflects full confidentiality, integrity, and availability impact once a normal user account is leveraged to escalate privileges.
Technical ContextAI
Mesalvo Meona is a clinical workflow and hospital information system used in healthcare environments, comprising a Client Launcher front-end component and a Server back-end component. The root cause is classified as CWE-284 (Improper Access Control), meaning the application fails to properly enforce authorization checks separating normal user roles from administrative roles. The CPE strings cpe:2.3:a:mesalvo:meona_client_launcher_component and cpe:2.3:a:mesalvo:meona_server_component identify the precise products in scope, and the issue manifests when the server-side authorization layer trusts client-side role context or fails to revalidate privileges before exposing the admin panel.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data - defenders should contact Mesalvo directly to obtain a fixed Client Launcher build superseding 19.06.2020 15:11:49 and a Server build superseding 2025.04 5+323020, and consult the disclosure write-up at https://seccore.at/blog/cves-meona/ for further technical detail. As compensating controls until a fix is confirmed, restrict network reachability of the Meona Server admin panel to a dedicated administrative VLAN or jump host (trade-off: legitimate remote admin workflows must be re-routed), enforce strict role review and remove unused low-privileged accounts to shrink the attacker pool (trade-off: operational overhead for HR/IT joiners-movers-leavers), enable detailed audit logging on admin-panel endpoints and alert on access by non-admin identities (trade-off: increased log volume and SIEM cost), and require step-up authentication or MFA for any admin-panel session if the platform supports it (trade-off: workflow friction for clinical staff). Avoid exposing the Meona web tier directly to the internet under any circumstances.
Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (thro
Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users
Cleartext storage of sensitive information in memory (CWE-316) affects both the Meona Client Launcher Component and the
Mesalvo Meona's Client Launcher and Server components fail to verify data authenticity (CWE-345), enabling a locally aut
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31093
GHSA-q549-3jgw-crc8