Skip to main content

J&J ATMS CVE-2026-57913

| EUVDEUVD-2026-39644 HIGH
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-06-26 mitre GHSA-pxg7-h6wr-852q
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network read of protected audit data via missing server-side access control gives AV:N/AC:L/PR:N/UI:N with C:H and no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 12:02 EUVD
Analysis Generated
Jun 26, 2026 - 11:21 vuln.today

DescriptionCVE.org

Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts.

AnalysisAI

Unauthorized information disclosure in Johnson & Johnson's Audit Tracking Management System (ATMS) allowed remote attackers to view sensitive audit meeting minutes and transcripts without authentication in instances deployed before 2026-04-21. The flaw stems from client-side enforcement of access controls (CWE-602), meaning the server failed to verify authorization before returning confidential audit records. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach ATMS web application over network
Exploit
Request audit minutes/transcript endpoint
Execution
Server omits authorization check
Impact
Read confidential audit records

Vulnerability AssessmentAI

Exploitation No special conditions beyond network reachability of the ATMS web application - exploitation requires no authentication, no user interaction, and no elevated privileges (AV:N/AC:L/PR:N/UI:N), consistent with the server failing to enforce access control (CWE-602). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) describes a network-reachable, low-complexity, unauthenticated read of high-confidentiality data with no integrity or availability impact - internally consistent with the information-disclosure description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker browses to ATMS endpoints serving audit meeting minutes and transcripts and, because the server does not enforce authorization, directly requests and reads confidential records that should be restricted. The low attack complexity and absence of required privileges or user interaction make retrieval straightforward, and a public research write-up describes the underlying webapp weaknesses.
Remediation The issue was addressed by the vendor as of 2026-04-21 (Patch available per vendor advisory; no released version number is published because ATMS is a vendor-hosted application), so any current J&J ATMS deployment should already enforce server-side authorization on meeting-minute and transcript retrieval. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all ATMS deployments and confirm version dates; isolate any pre-2026-04-21 instances from untrusted networks pending remediation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy