Authorization Bypass in Mythic by Its-a-Feature Affects Multiple REST Endpoints
CVE-2026-57952

6MEDIUM

Key Information:

Vendor

Its-a-feature

Status
Mythic
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57952?

Mythic versions prior to 3.4.0.60 are vulnerable to an authorization bypass issue that affects specific REST endpoints. The flaw allows an operator in one operation to exploit unverified payload UUIDs from a different operation, granting unauthorized access to the C2 profile configuration of that operation. This includes sensitive information such as encryption keys and callback parameters. Ensuring proper authentication and authorization checks for these endpoints is critical to prevent unauthorized data exposure.

Affected Version(s)

Mythic 0 < 3.4.0.60

References

https://github.com/its-a-feature/Mythic/releases/tag/v3.4...
release-notes
https://github.com/its-a-feature/Mythic/issues/564
issue-tracking
https://github.com/its-a-feature/Mythic/commit/82648e8241...
patch

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.