CVE-2026-10056

Name of the Vulnerable Software and Affected Versions Nx Witness VMS versions prior to 6.1.2

Description A CORS misconfiguration in the REST API occurs when the software runs in the default Standard security mode on Linux and Windows. This allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform an Administrator Account Takeover by inducing the victim to visit a malicious cross-origin web page. Cross-Origin Resource Sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.

Recommendations Update to version 6.1.2 or later. As a temporary workaround for installations in Standard security mode, set Access-Control-Allow-Credentials to false by sending a PATCH request to the endpoint "/rest/v2/system/settings" with the body {"supportedOrigins": "null"}. Select High security level during initial setup.