Mythic < 3.4.0.60 - Unauthorized C2 Profile Configuration Access via Unverified Payload UUID | Advisories

Advisories

Mythic < 3.4.0.60 - Unauthorized C2 Profile Configuration Access via Unverified Payload UUID

severity: medium
date: 6/29/2026
Affecting: Mythic < 3.4.0.60
CVE: CVE-2026-57952
CWE: CWE-862 Missing Authorization
CVSS: 6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: Release Notes
Researcher Disclosure
Patch Commit
Credit: George Chen
Description: Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profile configuration including encryption keys and callback parameters.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo