Skip to main content

Hearing Reminder Service CVE-2026-61344

| EUVDEUVD-2026-42663 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-07-09 9119a7d8-5eab-497f-8521-727c672e3725 GHSA-3q6q-8gwq-hrm6
6.9
CVSS 4.0 · Vendor: 9119a7d8-5eab-497f-8521-727c672e3725
Share

Severity by source

Vendor (9119a7d8-5eab-497f-8521-727c672e3725) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable API with no authentication (PR:N, AC:L); impact is read-only partial confidentiality disclosure (C:L) with no integrity or availability effect and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (9119a7d8-5eab-497f-8521-727c672e3725).

CVSS VectorVendor: 9119a7d8-5eab-497f-8521-727c672e3725

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 19:01 EUVD
Analysis Generated
Jul 09, 2026 - 18:50 vuln.today

DescriptionCVE.org

The Superior Court of California Hearing Reminder Service at https://www.hrs.courts.ca.gov exposes an API endpoint that returns court reminder records containing potentially sensitive information without authentication.

AnalysisAI

Unauthenticated API exposure in the Superior Court of California's Hearing Reminder Service (hrs.courts.ca.gov) permits any internet-accessible party to retrieve court reminder records containing potentially sensitive information with no credentials or preconditions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote access, making bulk data harvesting trivial for any motivated actor. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify unauthenticated API endpoint at hrs.courts.ca.gov
Delivery
Send HTTP request without credentials
Exploit
Receive court reminder records
Execution
Enumerate records by case ID or date
Impact
Harvest PII and case schedule data

Vulnerability AssessmentAI

Exploitation No special conditions are required for exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 (Medium) reflects a straightforward confidentiality-only exposure: AV:N/AC:L/AT:N/PR:N/UI:N with VC:L and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker with standard internet access identifies the unauthenticated API endpoint at hrs.courts.ca.gov through OSINT, directory enumeration, or public disclosure of the CVE. The attacker issues repeated unauthenticated HTTP requests to the endpoint, iterating over case numbers or date ranges to systematically harvest court reminder records containing names, phone numbers, email addresses, case identifiers, and upcoming hearing dates for California court participants. …
Remediation The primary fix is to implement authentication and authorization controls on the affected API endpoint, ensuring that court reminder records are returned only to verified and authorized requestors - such as authenticated court staff, registered members of the public with validated sessions, or systems using API keys with appropriate scoping. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy