Description
CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround:

For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup.

Solution:

Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.
Published: 2026-05-29
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CORS misconfiguration allows an unauthenticated attacker to use a malicious cross‑origin web page to retrieve the session token of any authenticated user and hijack the account with Administrator privileges. The flaw exploits an erroneous Access‑Control‑Allow‑Credentials header in the REST API, identified as CWE‑942. Consequently, the attacker can gain unrestricted control of the platform, violating confidentiality, integrity, and availability of the system.

Affected Systems

Network Optix Nx Witness VMS running the default Standard security mode on Linux or Windows is affected in all releases prior to version 6.1.2. The High security mode is not impacted, nor are versions 6.1.2 and later because the configuration defaults to disabling credential sharing.

Risk and Exploitability

With a CVSS v3 score of 7.5 the vulnerability is considered high severity, and although EPSS data is not available, the lack of a KEV listing does not reduce its potential exploitability. The attack can be carried out remotely by simply hosting a malicious web page that the victim visits; no authentication is required to extract the session token, making exploitation straightforward for attackers with social‑engineering or phishing capabilities.

Generated by OpenCVE AI on May 29, 2026 at 10:22 UTC.

Remediation

Vendor Solution

Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.

Vendor Workaround

For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup.

OpenCVE Recommended Actions

  • Update Nx Witness VMS to version 6.1.2 or later to ensure Access‑Control‑Allow‑Credentials is set to false in the default configuration.
  • For deployments that cannot be updated immediately, issue a PATCH request to /rest/v2/system/settings with body {"supportedOrigins":"null"} to disable credential sharing while in Standard security mode.
  • Alternatively, re‑configure the instance to use High security mode during initial setup or by applying the high‑security configuration to eliminate the vulnerable CORS setting.

Generated by OpenCVE AI on May 29, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Network Optix
Network Optix nx Witness Vms
Vendors & Products Network Optix
Network Optix nx Witness Vms

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround: For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup. Solution: Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.
Title CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request
Weaknesses CWE-942
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Network Optix Nx Witness Vms
cve-icon MITRE

Status: PUBLISHED

Assigner: NX

Published:

Updated: 2026-05-29T14:59:18.375Z

Reserved: 2026-05-29T07:52:32.185Z

Link: CVE-2026-10056

cve-icon Vulnrichment

Updated: 2026-05-29T14:59:04.710Z

cve-icon NVD

Status : Received

Published: 2026-05-29T09:16:17.147

Modified: 2026-05-29T09:16:17.147

Link: CVE-2026-10056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:25Z

Weaknesses