Description
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.
Published: 2026-06-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Mythic arises from a broken permission filter in the Hasura layer that manages the payload_build_step table. An always‑satisfied _or condition in the filter removes the intended operation‑scoped restriction, allowing legitimate users to read step_stdout, step_stderr, step_name, and step_description data for every operation hosted on the server. This flaw permits an authenticated operator or spectator to access potentially sensitive execution details from all payloads, exposing confidential information that should be isolated to the owning operation.

Affected Systems

The issue affects the Mythic platform, specifically versions earlier than 3.4.0.60, released by its‑a‑feature. Any deployment running those versions, regardless of environment, is susceptible. The flaw does not affect later releases.

Risk and Exploitability

The CVSS score of 7.1 classifies the weakness as high severity. Because the exploit requires authenticated access and the EPSS score is currently unavailable, the risk is moderate but significant. The lack of a KEV listing indicates no known widely‑available public exploit, but an attacker with operator or spectator credentials can immediately retrieve all payload operation logs, constituting a confidentiality breach rather than a code execution vector.

Generated by OpenCVE AI on June 29, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mythic to version 3.4.0.60 or later, which restores correct permission filters for the payload_build_step table.
  • If upgrading immediately is not feasible, disable the GraphQL queries that expose payload_build_step data for spectator and operator roles until the patch can be applied.
  • After the upgrade or configuration change, verify that operation‑scoped permissions are enforced by attempting a read as a non‑owner user; the request should be denied.

Generated by OpenCVE AI on June 29, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Its-a-feature
Its-a-feature mythic
Vendors & Products Its-a-feature
Its-a-feature mythic

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.
Title Mythic < 3.4.0.60 - Broken Permission Filter in payload_build_step Table
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Its-a-feature Mythic
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T17:20:36.203Z

Reserved: 2026-06-26T13:57:16.356Z

Link: CVE-2026-57951

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:03:57Z

Weaknesses