Description
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.
Published: 2026-05-29
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Acer Predator Connect W6x device contains an improper authentication flaw in its web endpoints. The bug arises because the HTTP Authorization header is not correctly validated; when Base64 decoding of the header fails, the system fails to block the request, permitting an attacker to bypass authentication. This flaw is a classic example of CWE-287, where incorrect access control allows unauthorized access and can jeopardize both confidentiality and integrity of the device's data and services.

Affected Systems

The vulnerability affects Acer Predator Connect W6x devices running firmware versions prior to W6x_GBL_2.00.000008. No other product or version information is specified, so any device that has not upgraded to the fixed firmware is considered vulnerable.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. Although the EPSS score is not provided, the lack of a listed KEV entry suggests no widely known exploits. The likely attack vector is remote, via the device's exposed web interfaces; an attacker can craft HTTP requests with malformed Authorization headers to gain unauthenticated access to protected resources.

Generated by OpenCVE AI on May 29, 2026 at 10:22 UTC.

Remediation

Vendor Solution

Fixed on firmware version: W6x_GBL_2.00.000008.

OpenCVE Recommended Actions

  • Update the device firmware to version W6x_GBL_2.00.000008 as released by Acer.
  • Ensure that any custom or third‑party web interfaces on the device enforce proper authentication and validate the Authorization header before granting access.
  • Regularly review device logs for anomalous authentication attempts and apply network segmentation or firewall rules to limit exposure of the web interface to the least necessary traffic.

Generated by OpenCVE AI on May 29, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer predator Connect W6x
Vendors & Products Acer
Acer predator Connect W6x

Fri, 29 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.
Title Predator Connect W6x: Improper Authentication
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Acer Predator Connect W6x
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-05-29T11:34:23.141Z

Reserved: 2026-05-28T02:47:39.776Z

Link: CVE-2026-49197

cve-icon Vulnrichment

Updated: 2026-05-29T11:34:19.006Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T09:16:17.877

Modified: 2026-05-29T14:46:09.837

Link: CVE-2026-49197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:22Z

Weaknesses