Description
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Mythic allows authenticated users with a spectator role to bypass normal authorization controls when accessing the eventing_import_automatic_webhook endpoint. This misconfiguration lets them create or delete automation workflows, altering operation automation and EventGroups without proper vetting. The flaw is an authorization bypass (CWE‑863), enabling a moderate‑impact compromise of the platform’s operation configuration.

Affected Systems

Mythic instances running any version prior to 3.4.0.60, provided by its‑a‑feature, are impacted. The affected component is the eventing_import_automatic_webhook endpoint exposed under spectator‑permitted middleware, meaning all deployments of Mythic before the 3.4.0.60 release are vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates medium severity, and the EPSS score is not reported. The vulnerability is not listed in CISA KEV. An attacker must first authenticate to Mythic with a spectator role, which can be achieved through valid credentials or by exploiting another authentication weakness. Once authenticated, the attacker can call the endpoint and create or delete automation workflows, thereby changing the platform’s behavior and potentially affecting operations. Although the attack requires authentication, the misconfigured permission renders it trivial for any spectator to exercise these destructive actions.

Generated by OpenCVE AI on June 29, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mythic to version 3.4.0.60 or later, which removes the vulnerable endpoint exposure to spectator roles.
  • Verify that the eventing_import_automatic_webhook endpoint is no longer accessible to users with spectator permissions, ensuring role‑based access is correctly configured.
  • Conduct an audit of existing automation workflows and EventGroups to detect any unauthorized changes that may have occurred prior to the update.

Generated by OpenCVE AI on June 29, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Its-a-feature
Its-a-feature mythic
Vendors & Products Its-a-feature
Its-a-feature mythic

Mon, 29 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
Title Mythic < 3.4.0.60 - Unauthorized Automation Workflow Modification via eventing_import_automatic_webhook Endpoint
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Its-a-feature Mythic
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T19:40:50.774Z

Reserved: 2026-06-26T13:59:33.047Z

Link: CVE-2026-57953

cve-icon Vulnrichment

Updated: 2026-06-29T19:40:48.138Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:03:55Z

Weaknesses