HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49190Published Modified CNA Acer

CVE-2026-49190: Missing Per-Instruction Authorization Checks

The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing per-instruction authorization is an access control vulnerability in the Acer Connect M6E 5G Portable WiFi Router (firmware version M6E_AI_1.00.000019 and earlier). The flaw is reachable over the network by any low-privilege account, with no victim interaction required, because the router fails to verify whether the caller is permitted to invoke specific internal operation codes (opcodes). Successful exploitation lets an attacker install unauthorized applications or execute arbitrary commands on the device. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-49190 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built firmware or router management container images derived from affected Acer software. Coverage applies to both registry scans and inline pipeline scans.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 9.4 (Critical) and applying each customer organization's compliance policy weighting to prioritize it accordingly. Triage routing is available to direct findings to the appropriate team inbox within each customer environment based on workload ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Acer advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers can use HarborGuard's policy controls to flag any image carrying the affected firmware version as non-compliant and block it from promotion through the pipeline.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerability is exposed over the network, meaning an attacker must be able to reach the router's management interface across the network to send crafted opcode requests.

  • AuthenticationRequired

    A low-privilege account is sufficient to trigger the flaw; full administrative credentials are not needed, but the attacker must hold at least some valid credential on the device.

  • Victim interactionNot required

    No action from a legitimate user or administrator is needed; the attacker can exploit the device entirely on their own once network access and credentials are available.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond network access and a valid low-privilege account.

Blast Radius

  • Reads sensitive configuration data, credentials stored on the device, and network traffic passing through the router.
  • Modifies router configuration, routing rules, or firewall policies, potentially redirecting or intercepting traffic from all connected clients.
  • Installs unauthorized applications or persistent backdoors on the router firmware, surviving reboots.
  • Crashes or destabilizes the router service, disrupting network connectivity for all clients depending on the device.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-49190, HarborGuard continuously re-ingests the Acer advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. For environments with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads, with no manual intervention required. In the meantime, customers can apply compensating controls through HarborGuard's policy engine: marking any image carrying firmware version M6E_AI_1.00.000019 or earlier as non-compliant, blocking it from promotion to production, and enforcing network-policy isolation rules that restrict access to the router management interface to known, authorized source addresses only. HarborGuard will surface a notification to affected environments as soon as a fix version becomes available for remediation.

See how HarborGuard automates this
Affected packages
  • Acer / Connect M6E 5G Portable WiFi Router
    ≤ M6E_AI_1.00.000019
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References