Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network read of protected audit data via missing server-side access control gives AV:N/AC:L/PR:N/UI:N with C:H and no integrity or availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Johnson & Johnson Audit Tracking Management System (ATMS) before 2026-04-21 allows viewing of meeting minutes and transcripts.
AnalysisAI
Unauthorized information disclosure in Johnson & Johnson's Audit Tracking Management System (ATMS) allowed remote attackers to view sensitive audit meeting minutes and transcripts without authentication in instances deployed before 2026-04-21. The flaw stems from client-side enforcement of access controls (CWE-602), meaning the server failed to verify authorization before returning confidential audit records. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions beyond network reachability of the ATMS web application - exploitation requires no authentication, no user interaction, and no elevated privileges (AV:N/AC:L/PR:N/UI:N), consistent with the server failing to enforce access control (CWE-602). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) describes a network-reachable, low-complexity, unauthenticated read of high-confidentiality data with no integrity or availability impact - internally consistent with the information-disclosure description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker browses to ATMS endpoints serving audit meeting minutes and transcripts and, because the server does not enforce authorization, directly requests and reads confidential records that should be restricted. The low attack complexity and absence of required privileges or user interaction make retrieval straightforward, and a public research write-up describes the underlying webapp weaknesses. |
| Remediation | The issue was addressed by the vendor as of 2026-04-21 (Patch available per vendor advisory; no released version number is published because ATMS is a vendor-hosted application), so any current J&J ATMS deployment should already enforce server-side authorization on meeting-minute and transcript retrieval. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all ATMS deployments and confirm version dates; isolate any pre-2026-04-21 instances from untrusted networks pending remediation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39644
GHSA-pxg7-h6wr-852q