Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint requires spectator-role credentials (PR:L, AV:N); no confidentiality impact, only limited integrity and availability impact on automation workflows.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
AnalysisAI
Authorization bypass in Mythic C2 framework before 3.4.0.60 allows authenticated spectator-role users to perform write operations against the eventing_import_automatic_webhook endpoint, which is incorrectly registered under spectator-permitted middleware. Spectator accounts - intended to be read-only observers of red team operations - can exploit this misconfiguration to create and delete automation workflows and EventGroups, effectively escalating their privilege within an active operation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Mythic account assigned the spectator role - a low-privilege role intended for read-only observation of C2 operations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L reflects a realistic moderate risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker or malicious insider holding a spectator-role account in a Mythic deployment sends crafted HTTP POST requests directly to the eventing_import_automatic_webhook endpoint, bypassing the intended role enforcement at the middleware layer. Using this access, they create unauthorized automation workflows or delete existing EventGroups, potentially injecting rogue automation into an active red team operation or sabotaging operational continuity. … |
| Remediation | Upgrade Mythic to version 3.4.0.60 or later; this is the primary and recommended remediation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-operation information disclosure in Mythic C2 framework versions before 3.4.0.60 allows any authenticated operator
Cross-operation authorization bypass in Mythic C2 framework before 3.4.0.60 exposes encryption keys and C2 profile confi
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40138
GHSA-2mvr-4jqv-324m