How is CVE-2026-49191 exploited?

Network reachability (required): The attacker must reach the M3WebServer interface over the network; the device's web server is exposed on the local or wide-area network interface. Authentication (not-required): No credentials are needed; the hard-coded API key is recoverable from unauthenticated error response pages served by the device. Victim interaction (not-required): No user action is required; the attacker interacts directly with the server without involving a victim. Attack complexity (info): Exploit complexity is low; no race conditions or special environmental factors are required to retrieve the hard-coded key from verbose error pages.

What is the impact of CVE-2026-49191?

Attacker recovers the hard-coded backend API key and gains fully authenticated access to the M3WebServer backend API. Attacker reads device configuration, connected-client data, and any credentials or session tokens accessible via the API. Attacker modifies router configuration, including network settings, firewall rules, and DNS entries, affecting all clients routed through the device. Attacker disrupts or disables the router service, cutting network connectivity for all devices relying on it.

Back to search

CRITICALCVE-2026-49191Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-49191: Exposed Hard-coded M3WebServer Backend API Key

The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A hard-coded API key exposure vulnerability affects the Acer Connect M6E 5G Portable WiFi Router running M3WebServer firmware version M6E_AI_1.00.000019 and earlier. The vulnerability is reachable over the network with no authentication required, and the embedded API keys are trivially recoverable via verbose error pages served by the device. Successful exploitation gives an attacker full authenticated access to the backend API, enabling data disclosure, configuration tampering, and service disruption. No fix version has been published; HarborGuard tracks the upstream advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built firmware or container images derived from affected M3WebServer versions. Any image containing the affected M6E_AI_1.00.000019 firmware artifact is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the published CVSS v4.0 vector, and per-environment compliance policy weighting can escalate or adjust routing priority based on each organization's risk thresholds. Triage findings are routed to the appropriate team inbox within each customer org as configured.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Acer advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated firmware version is released. In the interim, findings remain open and visible in each environment's vulnerability dashboard so teams can apply compensating controls manually.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the M3WebServer interface over the network; the device's web server is exposed on the local or wide-area network interface.
AuthenticationNot required
No credentials are needed; the hard-coded API key is recoverable from unauthenticated error response pages served by the device.
Victim interactionNot required
No user action is required; the attacker interacts directly with the server without involving a victim.
Attack complexityDetail
Exploit complexity is low; no race conditions or special environmental factors are required to retrieve the hard-coded key from verbose error pages.

Blast Radius

Attacker recovers the hard-coded backend API key and gains fully authenticated access to the M3WebServer backend API.
Attacker reads device configuration, connected-client data, and any credentials or session tokens accessible via the API.
Attacker modifies router configuration, including network settings, firewall rules, and DNS entries, affecting all clients routed through the device.
Attacker disrupts or disables the router service, cutting network connectivity for all devices relying on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49191 is active across all connected registries and CI pipelines. Because Acer has not published a patched firmware version, no automated rebuild is available yet; HarborGuard will generate a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment an upstream fix is released. Until then, HarborGuard recommends applying compensating controls where feasible: isolate affected router management interfaces behind a dedicated network policy that restricts inbound HTTP access to trusted hosts only, enable egress filtering to limit backend API reachability from untrusted segments, and treat the exposed key as compromised by rotating any dependent service credentials. The open finding remains visible in each environment's dashboard for manual tracking and audit evidence.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified