Skip to main content

Mythic C2 EUVDEUVD-2026-40138

| CVE-2026-57953 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-29 disclosure@vulncheck.com GHSA-2mvr-4jqv-324m
5.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-reachable endpoint requires spectator-role credentials (PR:L, AV:N); no confidentiality impact, only limited integrity and availability impact on automation workflows.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 19:01 EUVD
Analysis Generated
Jun 29, 2026 - 18:39 vuln.today

DescriptionCVE.org

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.

AnalysisAI

Authorization bypass in Mythic C2 framework before 3.4.0.60 allows authenticated spectator-role users to perform write operations against the eventing_import_automatic_webhook endpoint, which is incorrectly registered under spectator-permitted middleware. Spectator accounts - intended to be read-only observers of red team operations - can exploit this misconfiguration to create and delete automation workflows and EventGroups, effectively escalating their privilege within an active operation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise spectator-role credentials
Delivery
Authenticate to Mythic C2 server
Exploit
Send crafted write request to eventing_import_automatic_webhook
Execution
Bypass spectator middleware authorization check
Persist
Create or delete automation workflows and EventGroups
Impact
Disrupt or subvert active red team operation automation

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Mythic account assigned the spectator role - a low-privilege role intended for read-only observation of C2 operations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L reflects a realistic moderate risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker or malicious insider holding a spectator-role account in a Mythic deployment sends crafted HTTP POST requests directly to the eventing_import_automatic_webhook endpoint, bypassing the intended role enforcement at the middleware layer. Using this access, they create unauthorized automation workflows or delete existing EventGroups, potentially injecting rogue automation into an active red team operation or sabotaging operational continuity. …
Remediation Upgrade Mythic to version 3.4.0.60 or later; this is the primary and recommended remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy