Skip to main content

Mythic

3 CVEs product

Monthly

CVE-2026-57953 MEDIUM PATCH This Month

Authorization bypass in Mythic C2 framework before 3.4.0.60 allows authenticated spectator-role users to perform write operations against the eventing_import_automatic_webhook endpoint, which is incorrectly registered under spectator-permitted middleware. Spectator accounts - intended to be read-only observers of red team operations - can exploit this misconfiguration to create and delete automation workflows and EventGroups, effectively escalating their privilege within an active operation. No public exploit code has been identified and no CISA KEV listing exists; a vendor-released patch is available in v3.4.0.60.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-57952 MEDIUM PATCH This Month

Cross-operation authorization bypass in Mythic C2 framework before 3.4.0.60 exposes encryption keys and C2 profile configurations to authenticated operators from separate operations. Four webhook REST endpoints - c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook - fail to verify that a submitted payload UUID belongs to the caller's operation, allowing an operator in Operation A to retrieve the full C2 profile configuration of Operation B by supplying a known UUID. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.0 reflects high complexity due to the prerequisite of obtaining a cross-operation UUID.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-57951 HIGH PATCH This Week

Cross-operation information disclosure in Mythic C2 framework versions before 3.4.0.60 allows any authenticated operator or spectator to read payload build artifacts belonging to operations they are not assigned to. A broken Hasura GraphQL permission filter on the payload_build_step table contains an always-true _or clause, neutralizing the operation-scoped row-level access control and exposing step_stdout, step_stderr, step_name, and step_description across every operation on the server. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is publicly committed and the conditions are trivial for any logged-in low-privilege user.

Authentication Bypass Mythic
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authorization bypass in Mythic C2 framework before 3.4.0.60 allows authenticated spectator-role users to perform write operations against the eventing_import_automatic_webhook endpoint, which is incorrectly registered under spectator-permitted middleware. Spectator accounts - intended to be read-only observers of red team operations - can exploit this misconfiguration to create and delete automation workflows and EventGroups, effectively escalating their privilege within an active operation. No public exploit code has been identified and no CISA KEV listing exists; a vendor-released patch is available in v3.4.0.60.

Authentication Bypass Mythic
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Cross-operation authorization bypass in Mythic C2 framework before 3.4.0.60 exposes encryption keys and C2 profile configurations to authenticated operators from separate operations. Four webhook REST endpoints - c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook - fail to verify that a submitted payload UUID belongs to the caller's operation, allowing an operator in Operation A to retrieve the full C2 profile configuration of Operation B by supplying a known UUID. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.0 reflects high complexity due to the prerequisite of obtaining a cross-operation UUID.

Authentication Bypass Mythic
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-operation information disclosure in Mythic C2 framework versions before 3.4.0.60 allows any authenticated operator or spectator to read payload build artifacts belonging to operations they are not assigned to. A broken Hasura GraphQL permission filter on the payload_build_step table contains an always-true _or clause, neutralizing the operation-scoped row-level access control and exposing step_stdout, step_stderr, step_name, and step_description across every operation on the server. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is publicly committed and the conditions are trivial for any logged-in low-privilege user.

Authentication Bypass Mythic
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy