Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround:
For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup.
Solution:
Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.
AnalysisAI
Administrator account takeover in Network Optix Nx Witness VMS before 6.1.2 allows remote unauthenticated attackers to hijack authenticated user sessions through a CORS misconfiguration in the REST API when the product runs in default Standard security mode on Linux or Windows. By luring a logged-in operator to a malicious cross-origin page, the attacker's site can read credentialed REST responses and steal the session token, achieving full administrative takeover; no public exploit identified at time of analysis, but the issue is trivially weaponizable given the well-understood CORS attack pattern.
Technical ContextAI
Nx Witness VMS is a video management system whose server component exposes a REST API (paths like /rest/v2/system/settings) used by browser-based clients. The underlying flaw is classified as CWE-942 (Permissive Cross-domain Policy with Untrusted Domains): when running in the default Standard security mode, the server returns Access-Control-Allow-Credentials: true together with an overly permissive Access-Control-Allow-Origin policy, so the browser allows arbitrary attacker-controlled origins to issue credentialed XHR/fetch requests and read the responses, including session tokens. The affected CPE is cpe:2.3:a:network_optix:nx_witness_vms across all versions prior to the fix. The High security mode hardens the supportedOrigins setting and is therefore not affected.
RemediationAI
Vendor-released patch: Nx Witness VMS 6.1.2, in which Access-Control-Allow-Credentials is set to false by default in Standard security mode; upgrading is the primary fix. For installations that cannot upgrade immediately, the vendor-supplied workaround is to issue PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"} via the REST API, which forces Access-Control-Allow-Credentials to false and blocks credentialed cross-origin reads - note this will also break any legitimate browser integrations that rely on cross-origin credentialed calls, so test integrated dashboards/embeds first. Alternatively, on fresh deployments select the High security level during initial setup. Additional compensating controls: restrict the VMS REST interface to a management VLAN so operator browsers cannot be steered to attacker pages while authenticated, and enforce short session lifetimes so any stolen token has limited value. Full details: https://support.networkoptix.com/hc/en-us/articles/39254208939159-How-to-Enable-CORS-Validation.
More in Cors Misconfiguration
View allCasdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th
Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut
memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel
SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9
A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical
Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to
Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional
Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33262
GHSA-r863-5pgm-c8g4