PT-2026-33789 · Vexa · Vexa

Published

2026-04-20

Updated

2026-04-21

CVE-2026-25058

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Vexa versions prior to 0.10.0-260419-1910

Description The transcription-collector service exposes an internal endpoint 'GET /internal/transcripts/{meeting id}' that returns transcript data for any meeting without authentication or authorization checks. This allows an unauthenticated attacker to enumerate meeting id values and access confidential business conversations, passwords, or personally identifiable information (PII).

Recommendations Update to version 0.10.0-260419-1910.

Exploit

Fix

Missing Authentication

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-862

Related Identifiers

CVE-2026-25058

Affected Products

Vexa

PT-2026-33789 · Vexa · Vexa

CVE-2026-25058

Weakness Enumeration

Related Identifiers

Affected Products

References · 4