The vulnerability is an unauthenticated and unauthorised internal endpoint GET /internal/transcripts/{meeting_id} that allowed any attacker to retrieve transcript data for any meeting. The weakness falls under missing authentication (CWE‑306) and missing authorization (CWE‑862). An attacker can enumerate meeting identifiers, download full transcripts, and therefore obtain confidential business conversations, passwords, and personal data, representing a significant breach of confidentiality.

The issue affects the Vexa meeting bot and transcription API supplied by Vexa‑ai. Any deployment of the transcription‑collector service that is built from versions prior to 0.10.0‑260419‑1910 is vulnerable. Upgrading to the 0.10.0‑260419‑1910 release or newer removes the exposed internal endpoint.

The CVSS score of 7.5 indicates high severity. The EPSS score is not available, but the lack of authentication means that once the service is reachable, an attacker can request transcript data with a simple HTTP GET. Because the endpoint is logical internal, the attack vector is likely in an internal network or a publicly exposed API; therefore, any organization running a vulnerable version on a network that can be reached by an attacker faces a high risk of confidential data leakage. The vulnerability is not listed in CISA KEV, but the lack of safeguards makes exploitation straightforward once the attacker has network access.