Skip to main content

Nx Witness VMS CVE-2026-10056

| EUVDEUVD-2026-33262 HIGH
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-05-29 NX GHSA-r863-5pgm-c8g4
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 29, 2026 - 10:01 EUVD
Analysis Generated
May 29, 2026 - 09:16 vuln.today
CVE Published
May 29, 2026 - 08:04 nvd
HIGH 7.5

DescriptionCVE.org

CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround:

For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup.

Solution:

Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.

AnalysisAI

Administrator account takeover in Network Optix Nx Witness VMS before 6.1.2 allows remote unauthenticated attackers to hijack authenticated user sessions through a CORS misconfiguration in the REST API when the product runs in default Standard security mode on Linux or Windows. By luring a logged-in operator to a malicious cross-origin page, the attacker's site can read credentialed REST responses and steal the session token, achieving full administrative takeover; no public exploit identified at time of analysis, but the issue is trivially weaponizable given the well-understood CORS attack pattern.

Technical ContextAI

Nx Witness VMS is a video management system whose server component exposes a REST API (paths like /rest/v2/system/settings) used by browser-based clients. The underlying flaw is classified as CWE-942 (Permissive Cross-domain Policy with Untrusted Domains): when running in the default Standard security mode, the server returns Access-Control-Allow-Credentials: true together with an overly permissive Access-Control-Allow-Origin policy, so the browser allows arbitrary attacker-controlled origins to issue credentialed XHR/fetch requests and read the responses, including session tokens. The affected CPE is cpe:2.3:a:network_optix:nx_witness_vms across all versions prior to the fix. The High security mode hardens the supportedOrigins setting and is therefore not affected.

RemediationAI

Vendor-released patch: Nx Witness VMS 6.1.2, in which Access-Control-Allow-Credentials is set to false by default in Standard security mode; upgrading is the primary fix. For installations that cannot upgrade immediately, the vendor-supplied workaround is to issue PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"} via the REST API, which forces Access-Control-Allow-Credentials to false and blocks credentialed cross-origin reads - note this will also break any legitimate browser integrations that rely on cross-origin credentialed calls, so test integrated dashboards/embeds first. Alternatively, on fresh deployments select the High security level during initial setup. Additional compensating controls: restrict the VMS REST interface to a management VLAN so operator browsers cannot be steered to attacker pages while authenticated, and enforce short session lifetimes so any stolen token has limited value. Full details: https://support.networkoptix.com/hc/en-us/articles/39254208939159-How-to-Enable-CORS-Validation.

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2021-34435 HIGH POC
8.8 Sep 01

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th

CVE-2025-30354 HIGH POC
8.7 Apr 01

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut

CVE-2024-41659 HIGH POC
8.1 Aug 20

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2024-37131 CRITICAL
9.8 Jun 13

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated

CVE-2022-26969 CRITICAL
9.8 Dec 26

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9

CVE-2022-31736 CRITICAL
9.8 Dec 22

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical

CVE-2026-34449 CRITICAL
9.6 Mar 31

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to

CVE-2026-6662 MEDIUM POC
5.5 Apr 20

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint

CVE-2026-9739 CRITICAL
9.4 May 27

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional

CVE-2026-61736 CRITICAL
9.3 Jul 15

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c

CVE-2026-8948 CRITICAL
9.1 May 19

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Share

CVE-2026-10056 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy