CVE-2026-25058
Published: 20 April 2026
Summary
CVE-2026-25058 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vexa Vexa. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 requires explicit authorization of actions without identification or authentication, directly addressing the unauthenticated access to the /internal/transcripts/{meeting_id} endpoint.
AC-3 mandates enforcement of approved authorizations for access to system resources, preventing unauthorized retrieval of sensitive meeting transcripts.
SC-7 controls communications at internal interfaces, mitigating network access to the exposed unauthenticated transcription endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on a network-accessible internal API endpoint (GET /internal/transcripts/{meeting_id}) in a self-hostable web service directly enables remote exploitation of a public-facing application to access sensitive data without credentials.
NVD Description
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated…
more
attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.
Deeper analysisAI
CVE-2026-25058 is a missing authentication vulnerability (CWE-306, CWE-862) in the Vexa transcription-collector service, an open-source, self-hostable meeting bot API and meeting transcription API. In versions prior to 0.10.0-260419-1910, the service exposes an internal endpoint at GET /internal/transcripts/{meeting_id} that returns transcript data for any meeting without authentication or authorization checks. This flaw, published on 2026-04-20 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), allows unauthorized access to sensitive transcription content.
An unauthenticated attacker with network access can exploit this vulnerability by enumerating meeting IDs and directly querying the exposed endpoint to retrieve any user's meeting transcripts without credentials. Successful exploitation enables the theft of confidential information, including business conversations, passwords, and personally identifiable information (PII) captured in transcripts.
The GitHub security advisory (GHSA-w73r-2449-qwgh) confirms that upgrading to version 0.10.0-260419-1910 patches the issue by addressing the lack of authentication on the internal endpoint.
Details
- CWE(s)