Unauthorized Access in Vexa Meeting Bot API
CVE-2026-25058

7.5HIGH

Key Information:

Vendor: Vexa-ai
Status: Vexa
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-25058?

The Vexa Meeting Bot API has a serious security flaw where the transcription-collector service inadequately secures an internal endpoint, allowing unauthenticated access to meeting transcripts. This oversight enables potential attackers to list all meeting IDs and retrieve confidential data from any meeting without needing any credentials. Data at risk includes sensitive business conversations, passwords, and personal identifiable information (PII). This vulnerability has been addressed in version 0.10.0-260419-1910 to prevent unauthorized access.

Affected Version(s)

vexa < 0.10.0-260419-1910

References

https://github.com/Vexa-ai/vexa/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Jan 28, 2026

CVE-2026-25058 Data

JSON