Skip to main content

Mesalvo Meona CVE-2026-22315

| EUVDEUVD-2026-31092 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-05-20 ENISA GHSA-74c8-2c8j-qpj7
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 11:45 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export  of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.

AnalysisAI

Privilege misassignment in Mesalvo Meona Client Launcher and Server components allows authenticated high-privilege users to abuse the built-in SQL editor to exfiltrate user records - including cleartext-stored passwords - from the application backend. The flaw affects Meona Client Launcher up to build dated 19.06.2020 15:11:49 and Meona Server Component up to 2025.04 5+323020. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Meona is a clinical/healthcare information system distributed by Mesalvo as a thick-client launcher paired with a server backend; the launcher provides administrative tooling that includes an SQL editor used to query the backing database. The root cause is CWE-266 (Incorrect Privilege Assignment), meaning a role or session is granted permissions broader than intended - here, the SQL editor function is reachable by accounts that should not have the ability to dump arbitrary tables. Compounding the issue, the underlying user table stores credentials in cleartext rather than as salted hashes, so SELECT access is sufficient to harvest reusable passwords.

RemediationAI

No vendor-released patch version is identified at time of analysis in the supplied references, so organizations should contact Mesalvo directly for a fixed Client Launcher build dated after 19.06.2020 15:11:49 and a Server Component build above 2025.04 5+323020, citing the research write-up at https://seccore.at/blog/cves-meona/. As compensating controls until a confirmed fix is deployed, restrict the SQL editor functionality to a minimal break-glass admin group (network-segment the launcher and require jump-host access), audit and reduce the number of accounts holding the high-privilege role exploitable here, and force a password reset for all Meona users with the assumption that previously stored credentials may be compromised; long-term the vendor must migrate the user table from cleartext to a salted password hash, since restricting the SQL editor alone does not remove the underlying credential-storage weakness.

Share

CVE-2026-22315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy