How is CVE-2026-10056 exploited?

Network reachability (required): The attacker must be able to reach the VMS REST API over the network from the victim's browser context. Authentication (not-required): No attacker credentials are needed; the exploit hijacks an existing authenticated session belonging to the victim. Victim interaction (required): An authenticated VMS user must visit a malicious cross-origin web page that issues the crafted request. Attack complexity (info): Complexity is high because the attacker must lure an already-authenticated administrator to a controlled page and time the cross-origin request against a live session.

What is the impact of CVE-2026-10056?

Steals the session token of an authenticated VMS user, enabling Administrator account takeover. Reads camera feeds, recorded video, user accounts, and system configuration exposed through the REST API. Modifies VMS settings, user accounts, and stored configuration as an administrator. Disrupts video surveillance operations by disabling recording, removing users, or reconfiguring the system.

Back to search

HIGHCVE-2026-10056Published 2026-05-29Modified 2026-05-29CNA NX

CVE-2026-10056: CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request

CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround: For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup. Solution: Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A CORS misconfiguration in the REST API of Network Optix Nx Witness VMS lets an unauthenticated remote attacker exfiltrate the session token of an authenticated user when that user visits a malicious cross-origin web page. The flaw is reachable over the network, requires no attacker credentials, and depends on the victim browsing to an attacker-controlled page; successful exploitation enables full Administrator account takeover with read, write, and disruption capabilities over the VMS. A patched-image rebuild at version 6.1.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against Nx Witness VMS images in customer registries and pipelines. Coverage extends to custom-built images that embed the affected Network Optix binaries.

Available

Triage

Triage is available with the published CVSS 7.5 HIGH score weighted against each customer's compliance policy, so environments that treat browser-driven admin takeover as a top-tier risk see the finding escalated accordingly. Routing into the right inbox inside each customer org happens automatically based on image ownership and team mappings.

Available

Patch

A patched-image rebuild at Nx Witness VMS 6.1.2 is available on HarborGuard, with Access-Control-Allow-Credentials set to false in the default Standard security configuration. For customers who opt into auto-remediation, the rebuild runs through regression tests and a PR is opened against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the VMS REST API over the network from the victim's browser context.
AuthenticationNot required
No attacker credentials are needed; the exploit hijacks an existing authenticated session belonging to the victim.
Victim interactionRequired
An authenticated VMS user must visit a malicious cross-origin web page that issues the crafted request.
Attack complexityDetail
Complexity is high because the attacker must lure an already-authenticated administrator to a controlled page and time the cross-origin request against a live session.

Blast Radius

Steals the session token of an authenticated VMS user, enabling Administrator account takeover.
Reads camera feeds, recorded video, user accounts, and system configuration exposed through the REST API.
Modifies VMS settings, user accounts, and stored configuration as an administrator.
Disrupts video surveillance operations by disabling recording, removing users, or reconfiguring the system.

How HarborGuard Handles This

Available on HarborGuard: a rebuilt Nx Witness VMS image at version 6.1.2 with the corrected Access-Control-Allow-Credentials default, ready to roll out into affected environments. For customers with auto-remediation enabled, the rebuild is regression-tested and a PR is opened against workloads still on a vulnerable version, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes. Environments that cannot upgrade immediately can apply the vendor workaround by PATCHing /rest/v2/system/settings with {"supportedOrigins": "null"} or switching to High security mode, both of which neutralize the cross-origin token theft path until the patched image is deployed.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 6.1.2
Affected Products: 1

Fix available

6.1.2

Affected packages

Network Optix / Nx Witness VMS
< 6.1.2 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

How to Enable CORS Validation

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available