Authorization Bypass Vulnerability in Mythic by Its-a-Feature
CVE-2026-57953

5.3MEDIUM

Key Information:

Vendor

Its-a-feature

Status
Mythic
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57953?

Mythic versions prior to 3.4.0.60 are susceptible to an authorization bypass vulnerability that enables authenticated users with spectator roles to execute unauthorized write actions. This occurs through the eventing_import_automatic_webhook endpoint, which is improperly configured under spectator-permitted middleware. Attackers possessing the spectator role can exploit this vulnerability to create or delete automation workflows and manipulate operational automation settings, thereby compromising the integrity of EventGroups.

Affected Version(s)

Mythic 0 < 3.4.0.60

References

https://github.com/its-a-feature/Mythic/releases/tag/v3.4...
release-notes
https://github.com/its-a-feature/Mythic/issues/565
issue-tracking
https://github.com/its-a-feature/Mythic/commit/82648e8241...
patch

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.