Skip to main content

Mongoose EUVD-2026-18184

| CVE-2026-5246 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-02 VulDB GHSA-hm7q-jq63-pr78
Authentication Bypass Mongoose
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.3 (MEDIUM) 2.9 (LOW)
EUVD ID Assigned
Apr 02, 2026 - 10:00 euvd
EUVD-2026-18184
Analysis Generated
Apr 02, 2026 - 10:00 vuln.today
Patch released
Apr 02, 2026 - 10:00 nvd
Patch available
CVE Published
Apr 02, 2026 - 09:45 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Authorization bypass in Cesanta Mongoose up to version 7.20 allows remote, unauthenticated attackers to bypass TLS certificate signature verification in the P-384 public key handler (mg_tls_verify_cert_signature function in mongoose.c), potentially enabling man-in-the-middle attacks or unauthorized access. The attack is highly complex (CVSS AC:H) but publicly disclosed exploit code exists, with vendor-released patch available in version 7.21.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS score of 5.6 (Medium) with vector AV:N/AC:H/PR:N/UI:N indicates remote, unauthenticated exploitation with high attack complexity and partial impact on confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker intercepts TLS traffic to a Mongoose-based embedded device or server (e.g., IoT device, firmware update server, or embedded web interface). By exploiting the P-384 signature verification bypass, the attacker crafts a malicious certificate with an invalid signature that passes Mongoose's flawed validation logic, establishing a successful man-in-the-middle position. …
Remediation Vendor-released patch: Upgrade to Cesanta Mongoose version 7.21 or later, which includes the fix commit 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-18184 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy