Description
Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft.
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows anyone to retrieve internal multimedia session recordings without any authentication. The exposure is compounded by permissive Cross‑Origin Resource Sharing rules that let external sites download these recordings, effectively enabling cross‑site theft of sensitive meeting content.

Affected Systems

Acer’s Connect M6E 5G Portable WiFi Router is affected. No specific firmware version is disclosed, so all current releases that include the exposed endpoints are at risk.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered High severity. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, but the lack of authentication and liberal CORS policy make the attack very straightforward for anyone who can reach the router’s internal network. This makes the risk especially acute in environments where the router is exposed to untrusted traffic or where sensitive recordings are stored.

Generated by OpenCVE AI on June 4, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Acer that patches the unverified recording endpoints and tightens CORS policies.
  • If no update is available, disable the recording endpoints or enforce authentication so that only authorized users can access the archives.
  • Reconfigure the CORS settings to allow requests only from trusted origins or to remove cross‑domain sharing entirely.
  • Consider network segmentation or isolation of devices that require access to the router’s internal interface to limit exposure.

Generated by OpenCVE AI on June 4, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer connect M6e 5g Portable Wifi Router
Vendors & Products Acer connect M6e 5g Portable Wifi Router

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
CPEs cpe:2.3:h:acer:connect_m6e_5g:-:*:*:*:*:*:*:*
cpe:2.3:o:acer:connect_m6e_5g_firmware:*:*:*:*:*:*:*:*
Vendors & Products Acer
Acer connect M6e 5g
Acer connect M6e 5g Firmware
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft.
Title Unverified Meeting Recording Endpoints & Permissive CORS
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Acer Connect M6e 5g Connect M6e 5g Firmware Connect M6e 5g Portable Wifi Router
cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T12:32:02.997Z

Reserved: 2026-05-28T02:47:39.776Z

Link: CVE-2026-49202

cve-icon Vulnrichment

Updated: 2026-06-04T12:31:58.354Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T07:16:27.580

Modified: 2026-06-04T19:38:32.743

Link: CVE-2026-49202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:09:00Z

Weaknesses