Description
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The summary service endpoint for the Acer Connect M6E 5G Portable WiFi Router contains an insecure direct object reference that does not verify that a user owns a requested hardware serial number. This flaw allows an attacker to request information for any serial number and retrieve device data that should be restricted. The vulnerability results in the exposure of confidential device details such as configuration or usage metrics.

Affected Systems

Acer Connect M6E 5G Portable WiFi Router

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating medium severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated or local network user who can send requests to the summary service for arbitrary serial numbers, or an attacker who can intercept these requests over the network. Because the flaw is an IDOR, exploitation only requires the ability to access the service endpoint, and it can be performed without additional privileges beyond network access to the device.

Generated by OpenCVE AI on June 4, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any firmware update that addresses the IDOR flaw
  • Configure network segmentation or firewall rules to restrict who can reach the summary service
  • If a patch is not yet available, disable the summary service or enforce a proper ownership check before releasing data

Generated by OpenCVE AI on June 4, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.
Title Summary Service Insecure Direct Object Reference
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:35:37.028Z

Reserved: 2026-05-28T02:46:15.561Z

Link: CVE-2026-49192

cve-icon Vulnrichment

Updated: 2026-06-04T12:35:33.788Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T07:16:27.153

Modified: 2026-06-04T19:39:27.067

Link: CVE-2026-49192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T08:30:09Z

Weaknesses