Description
Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export  of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
Published: 2026-05-20
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported flaw is an incorrect privilege assignment in the Mesalvo Meona Client Launcher Component and Server Component that permits a user to export user data through the SQL editor without proper access checks. This capability can reveal clear‑text passwords along with other sensitive account information. The consequence is a violation of confidentiality that could enable an attacker to impersonate legitimate users or compromise downstream systems that rely on those credentials.

Affected Systems

Affected vendors include Mesalvo, with the Meona Client Launcher Component up to version 19.06.2020 15:11:49 and the Meona Server Component up to version 2025.04 5+323020. Both components provide the vulnerable SQL editor interface.

Risk and Exploitability

The CVSS score of 7.2 reflects a moderate‑to‑high severity risk. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Because the issue stems from an incorrect privilege model exercised via the SQL editor, the attack vector is likely internal or through authenticated access, but could be expanded if the editor is reachable over a network. Attackers would simply execute a query that exports the user dataset, gaining full credential exposure without needing additional privileges.

Generated by OpenCVE AI on May 20, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Mesalvo to obtain and apply an updated release that corrects the privilege assignment in the SQL editor.
  • If no patch is immediately available, disable or remove the SQL editor functionality to prevent the export of user data.
  • Enforce strict role‑based access control for any data export feature, audit exports for suspicious activity, and rotate all user passwords that may have been exposed by the vulnerability.

Generated by OpenCVE AI on May 20, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://seccore.at/blog/cves-meona/ cve-icon cve-icon
History

Wed, 20 May 2026 12:45:00 +0000

Type Values Removed Values Added
Title SQL Editor Privilege Escalation Exposes Cleartext Passwords

Wed, 20 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export  of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-05-20T12:06:30.389Z

Reserved: 2026-01-07T09:31:00.563Z

Link: CVE-2026-22315

cve-icon Vulnrichment

Updated: 2026-05-20T12:03:34.350Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T11:16:26.187

Modified: 2026-05-20T14:03:10.193

Link: CVE-2026-22315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T12:30:16Z

Weaknesses