Description
Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profile configuration including encryption keys and callback parameters.
Published: 2026-06-29
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mythic platforms before version 3.4.0.60 have an authorization bypass in four REST endpoints that allow an operator to access the C2 profile configuration of another operation by providing a payload UUID that they do not own. The attacker can retrieve secrets such as encryption keys and callback parameters, potentially enabling them to intercept, modify, or inject traffic into the target operation's C2 communications. The vulnerability exposes sensitive configuration data without proper ownership verification, leading to confidentiality compromise for the operation's control channel observers. The weakness is categorized as CWE-862.

Affected Systems

This issue affects Mythic applications from the its-a-feature vendor. Any installation running a version older than 3.4.0.60 is potentially vulnerable. The specific endpoints impacted are c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook.

Risk and Exploitability

The CVSS score for this issue is 6, indicating a medium severity. The EPSS score is currently unavailable, so the current probability of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog. The intended attack path is an authenticated operator who already has access to the Mythic console and can call the affected endpoints with a payload UUID from a different operation. Successful exploitation requires that the attacker has at least operator privileges and knowledge of a valid payload UUID from another operation, pointing to a moderate likelihood of threat in environments where multiple independent operations run on a single Mythic instance.

Generated by OpenCVE AI on June 29, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mythic version 3.4.0.60 or later to apply the authorization check.
  • If an upgrade is not possible, restrict access to the four endpoints so that only the owning operation’s payload UUIDs are accepted.
  • Re‑evaluate operator assignments to ensure each operation runs in isolation and monitor logs for unusual payload UUID usage.

Generated by OpenCVE AI on June 29, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Its-a-feature
Its-a-feature mythic
Vendors & Products Its-a-feature
Its-a-feature mythic

Mon, 29 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profile configuration including encryption keys and callback parameters.
Title Mythic < 3.4.0.60 - Unauthorized C2 Profile Configuration Access via Unverified Payload UUID
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Its-a-feature Mythic
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T18:15:58.956Z

Reserved: 2026-06-26T13:59:33.047Z

Link: CVE-2026-57952

cve-icon Vulnrichment

Updated: 2026-06-29T18:15:54.816Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:03:56Z

Weaknesses