Cyber Resilience

CVE-2026-25058

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0010 27.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25058 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vexa Vexa. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-25058 is a missing authentication vulnerability (CWE-306, CWE-862) in the Vexa transcription-collector service, an open-source, self-hostable meeting bot API and meeting transcription API. In versions prior to 0.10.0-260419-1910, the service exposes an internal endpoint at GET /internal/transcripts/{meeting_id} that returns transcript data for any meeting without authentication or authorization checks. This flaw, published on 2026-04-20 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), allows unauthorized access to sensitive transcription content.

An unauthenticated attacker with network access can exploit this vulnerability by enumerating meeting IDs and directly querying the exposed endpoint to retrieve any user's meeting transcripts without credentials. Successful exploitation enables the theft of confidential information, including business conversations, passwords, and personally identifiable information (PII) captured in transcripts.

The GitHub security advisory (GHSA-w73r-2449-qwgh) confirms that upgrading to version 0.10.0-260419-1910 patches the issue by addressing the lack of authentication on the internal endpoint.

EU & UK References

Vulnerability details

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated…

more

attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on a network-accessible internal API endpoint (GET /internal/transcripts/{meeting_id}) in a self-hostable web service directly enables remote exploitation of a public-facing application to access sensitive data without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-70146Shared CWE-306, CWE-862
CVE-2026-44320Shared CWE-306, CWE-862
CVE-2025-70141Shared CWE-306, CWE-862
CVE-2026-30784Shared CWE-306, CWE-862
CVE-2026-44327Shared CWE-306, CWE-862
CVE-2026-44329Shared CWE-306, CWE-862
CVE-2026-42569Shared CWE-306, CWE-862
CVE-2025-52024Shared CWE-306, CWE-862
CVE-2026-44328Shared CWE-306, CWE-862
CVE-2026-45209Shared CWE-862

Affected Assets

vexa
vexa
≤ 0.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 requires explicit authorization of actions without identification or authentication, directly addressing the unauthenticated access to the /internal/transcripts/{meeting_id} endpoint.

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, preventing unauthorized retrieval of sensitive meeting transcripts.

prevent

SC-7 controls communications at internal interfaces, mitigating network access to the exposed unauthenticated transcription endpoint.

References