CRITICAL🇵🇱 Wersja polska

CVE-2026-49197

CVSS 10.0v4.0pub. 2026-05-29upd. 2026-06-08

Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.

🤖 AI Analysis
How it works

The authentication mechanism does not block HTTP requests when Base64 decoding of the Authorization header value fails — instead of rejecting the invalid request, the endpoint passes it through as authenticated. A network attacker, without required permissions and without user interaction, can send a crafted HTTP request with an invalid or deliberately corrupted Authorization header, thereby bypassing the entire access control layer (CWE-287: Improper Authentication).

Impact

An unauthenticated remote attacker can gain full access to protected resources and application functions, potentially leading to device takeover, data breach, and violation of system integrity and associated resources.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references published by Acer at https://community.acer.com/en/kb/articles/19672

Who is affected

Web endpoints intended for the Acer Connect application — exact product versions indicated in manufacturer references (https://community.acer.com/en/kb/articles/19672)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Acer Predator Connect W6x

    HW
    Acer
    wszystkie wersje
  • Acer Predator Connect W6x Firmware

    OS
    Acer
    ≤ w6x_gbl_2.00.000005
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-49199CRITICAL10.0PL ✓ten sam produkt

Command injection przez MQTT umożliwia wykonanie kodu z uprawnieniami root

CVE-2026-49195HIGH8.7ten sam produkt

Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, al...

CVE-2026-49196HIGH8.6ten sam produkt

The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arb...

CVE-2026-49198HIGH8.3ten sam produkt

Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to u...

CVE-2026-49185CRITICAL10.0PL ✓ten sam vendor

Command injection w Acer Connect M6E 5G via FieldX MDM adb messaging