Audit Tracking Management System
Monthly
Unauthorized information disclosure in Johnson & Johnson's Audit Tracking Management System (ATMS) allowed remote attackers to view sensitive audit meeting minutes and transcripts without authentication in instances deployed before 2026-04-21. The flaw stems from client-side enforcement of access controls (CWE-602), meaning the server failed to verify authorization before returning confidential audit records. A public security research write-up by Eaton Works documents the issue, though no weaponized exploit or active exploitation (KEV) has been confirmed, and no public exploit code was identified at time of analysis.
Unauthorized information disclosure in Johnson & Johnson's Audit Tracking Management System (ATMS) allowed remote attackers to view sensitive audit meeting minutes and transcripts without authentication in instances deployed before 2026-04-21. The flaw stems from client-side enforcement of access controls (CWE-602), meaning the server failed to verify authorization before returning confidential audit records. A public security research write-up by Eaton Works documents the issue, though no weaponized exploit or active exploitation (KEV) has been confirmed, and no public exploit code was identified at time of analysis.