Description
Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service.
Published: 2026-06-04
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper validation in the device dissociation API on Acer Connect M6E 5G Portable WiFi Routers. An unauthenticated or authorized remote actor can send crafted commands that force the router to unbind user endpoints that are unrelated to the actor, causing a severe denial of service for those endpoints and disrupting connectivity for affected users.

Affected Systems

Affected hardware includes Acer Connect M6E 5G Portable WiFi Routers. No specific firmware revisions were disclosed, so all current releases should be considered potentially vulnerable until an update is issued.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, signifying a high impact. No EPSS data is available and the issue is not yet listed in the CISA KEV catalog. Attackers can exploit it remotely by targeting the dissociation API endpoint over the management interface. Mitigation is currently limited to vendor firmware updates, so monitoring and restricting access are the primary preventive measures.

Generated by OpenCVE AI on June 4, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Acer.
  • Restrict or disable remote access to the device dissociation API, for example by firewall rules or disabling remote management.
  • Monitor router logs and network traffic for unauthorized unbinding attempts and investigate any suspicious activity.

Generated by OpenCVE AI on June 4, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service.
Title Arbitrary Remote Device Unbinding
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Acer

Published:

Updated: 2026-06-04T07:32:55.042Z

Reserved: 2026-06-04T01:29:10.112Z

Link: CVE-2026-50212

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T09:16:29.847

Modified: 2026-06-04T09:16:29.847

Link: CVE-2026-50212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T09:30:10Z

Weaknesses