PT-2026-53669 · Its A Feature · Mythic

George Chen

Published

2026-06-29

Updated

2026-06-29

CVE-2026-57951

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload build step table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload build step to read step stdout, step stderr, step name, and step description across all operations on the server.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-57951

Affected Products

Mythic

PT-2026-53669 · Its A Feature · Mythic

CVE-2026-57951

Weakness Enumeration

Related Identifiers

Affected Products

References · 5