Description
The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages.
Published: 2026-06-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is that the production build of the M3WebServer hard‑codes its backend API keys, and these keys can be captured through verbose error handling pages. An attacker who can trigger such error pages can retrieve the hard‑coded key and use the backend APIs with full privilege, enabling configuration changes, service disruption, or exploitation of other devices on the same network. The weakness is an authentication flaw (CWE‑287), leading to significant loss of confidentiality, integrity, and potentially availability of the router’s management interface.

Affected Systems

Acer Connect M6E 5G Portable WiFi Router. No version details are specified, but the vulnerability exists in the production firmware of this router model.

Risk and Exploitability

The CVSS score of 9.3 marks this issue as critical. Although an EPSS score is not provided, the combination of a hard‑coded key, easy interception, and network‑exposed error pages indicates a high likelihood of exploitation on connected networks. The vulnerability is not listed in CISA’s KEV catalog, but its severity and exploitability still warrant immediate attention. Likely the attack vector is over the local network, where any device who can reach the router’s management interface may trigger the verbose error pages and capture the key.

Generated by OpenCVE AI on June 4, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to the latest firmware version that removes hard‑coded API keys
  • Disable or restrict verbose error handling pages so that error output is not exposed over network
  • Configure the router’s firewall to block unsolicited inbound connections to management ports

Generated by OpenCVE AI on June 4, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages.
Title Exposed Hard-coded M3WebServer Backend API Key
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:40:48.143Z

Reserved: 2026-05-28T02:46:15.561Z

Link: CVE-2026-49191

cve-icon Vulnrichment

Updated: 2026-06-04T12:40:44.233Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T07:16:27.013

Modified: 2026-06-04T19:39:40.520

Link: CVE-2026-49191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T08:30:09Z

Weaknesses