Skip to main content

Mythic C2 EUVDEUVD-2026-40169

| CVE-2026-57952 MEDIUM
Missing Authorization (CWE-862)
2026-06-29 disclosure@vulncheck.com GHSA-vq63-9qrm-qv35
6.0
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network-accessible REST API (AV:N), but requires a foreign payload UUID (AC:H); operator auth needed (PR:L); crosses operation security boundary exposing another operation's secrets (S:C/C:H).

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 19:01 EUVD
Analysis Generated
Jun 29, 2026 - 18:39 vuln.today

DescriptionCVE.org

Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profile configuration including encryption keys and callback parameters.

AnalysisAI

Cross-operation authorization bypass in Mythic C2 framework before 3.4.0.60 exposes encryption keys and C2 profile configurations to authenticated operators from separate operations. Four webhook REST endpoints - c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook - fail to verify that a submitted payload UUID belongs to the caller's operation, allowing an operator in Operation A to retrieve the full C2 profile configuration of Operation B by supplying a known UUID. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Mythic operator
Delivery
Obtain payload UUID from separate operation
Exploit
Invoke vulnerable webhook endpoint with foreign UUID
Execution
Server returns C2 profile config and encryption keys
Impact
Use keys to decrypt or intercept operational traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) a valid authenticated operator-level account on the target Mythic instance - PR:L in CVSS 4.0 confirms authentication is required; (2) knowledge of a payload UUID belonging to a different operation on the same server - this is the primary complexity barrier (AC:H) and limits exploitation to scenarios where multiple operations share one Mythic deployment and the attacker can enumerate or obtain a foreign UUID. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate but operationally significant given Mythic's red-team context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A red-team operator authenticated to a shared Mythic server for Operation A discovers or guesses a payload UUID belonging to Operation B (e.g., via log exposure, a misconfigured dashboard, or social engineering a colleague). The operator sends a crafted POST request to the c2profile_config_check_webhook endpoint with Operation B's UUID. …
Remediation Upgrade Mythic to version 3.4.0.60 or later, which adds payload ownership verification to the four affected webhook endpoints. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy