How is CVE-2026-49202 exploited?

Network reachability (required): The attacker must reach the device's web interface over the network; no local or physical access is needed. Authentication (not-required): No credentials of any kind are required to access the vulnerable recording endpoints. Victim interaction (not-required): No victim action is needed for direct endpoint access; however, the permissive CORS rules create a secondary path where a user simply visiting a malicious page triggers cross-origin retrieval without any deliberate interaction beyond the page visit. Attack complexity (info): Exploitation is straightforward and condition-free; no race conditions, special memory layout, or environment-specific configuration is required.

What is the impact of CVE-2026-49202?

Reads stored multimedia session archives and meeting recordings held on the device without any login. Exploits permissive CORS rules to pull recording data from the device through the browser of any user on the same network who visits an attacker-controlled page. Exposes metadata embedded in session archives, which may include participant identifiers, timestamps, and session content. Allows limited tampering with device state (CVSS VI:L), which may permit an attacker to alter session indices or overwrite limited records.

Back to search

HIGHCVE-2026-49202Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-49202: Unverified Meeting Recording Endpoints & Permissive CORS

Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass and permissive CORS misconfiguration affects the Acer Connect M6E 5G Portable WiFi Router at firmware version M6E_AI_1.00.000019 and earlier. The vulnerability is reachable over the network without any credentials, and loose Cross-Origin Resource Sharing rules allow a malicious web page to silently retrieve data from the device on behalf of a visiting user. Successful exploitation gives an attacker read access to internal multimedia session archives, including stored meeting recordings. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Acer publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-49202 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle this firmware or derived components. Any image containing an affected version of the Acer Connect M6E firmware stack is flagged automatically during registry and pipeline scans.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v4.0 vector and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within the customer org based on ownership rules configured in each environment.

Available

Patch

Because no fix version has been published by Acer, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers with auto-remediation enabled can apply compensating controls such as network-policy isolation to restrict access to the affected endpoints.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's web interface over the network; no local or physical access is needed.
AuthenticationNot required
No credentials of any kind are required to access the vulnerable recording endpoints.
Victim interactionNot required
No victim action is needed for direct endpoint access; however, the permissive CORS rules create a secondary path where a user simply visiting a malicious page triggers cross-origin retrieval without any deliberate interaction beyond the page visit.
Attack complexityDetail
Exploitation is straightforward and condition-free; no race conditions, special memory layout, or environment-specific configuration is required.

Blast Radius

Reads stored multimedia session archives and meeting recordings held on the device without any login.
Exploits permissive CORS rules to pull recording data from the device through the browser of any user on the same network who visits an attacker-controlled page.
Exposes metadata embedded in session archives, which may include participant identifiers, timestamps, and session content.
Allows limited tampering with device state (CVSS VI:L), which may permit an attacker to alter session indices or overwrite limited records.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no fix version currently published by Acer. HarborGuard re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Acer ships a firmware fix. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, typically within 90 minutes of upstream publication for HIGH-severity issues. While no patch is available, HarborGuard surfaces recommended compensating controls for affected environments: network-policy rules can isolate the router management interface to trusted source addresses, egress filtering can block cross-origin requests from reaching internal device endpoints, and where the recording feature is not operationally required, feature-flag or firewall gating of the relevant endpoints reduces exposure.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified