How is CVE-2026-50213 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the device's /v1/User/validate endpoint across the network. Authentication (not-required): No credentials or session token of any kind are required to query the endpoint and retrieve user profile data. Victim interaction (not-required): The attacker queries the endpoint directly; no action from any user or administrator on the device is needed. Attack complexity (info): Exploitation is reliable and condition-free; account identifiers are predictable, so automated enumeration requires no special timing, memory knowledge, or environmental setup.

What is the impact of CVE-2026-50213?

An attacker reads comprehensive user profile data sheets for every account stored on the device by iterating predictable user identifiers. Harvested profile data may include personally identifiable information such as names, email addresses, phone numbers, or account credentials depending on what the device stores per profile. Because enumeration is unauthenticated and automated, bulk harvesting of all user records on an exposed device is achievable in a single scripted pass.

Back to search

HIGHCVE-2026-50213Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-50213: Bulk User Private Data Harvesting

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated information-disclosure vulnerability affects the Acer Connect M6E 5G Portable WiFi Router firmware at version M6E_AI_1.00.000019 and earlier. The device's /v1/User/validate endpoint is reachable over the network without any credentials and returns full user profile data; because the identifiers used to look up accounts are predictable, an attacker can iterate through them systematically to harvest records in bulk. Successful exploitation gives an attacker read access to comprehensive private user profile data for all accounts stored on the device. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment Acer publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-50213 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected Acer firmware layers. Any image at firmware version M6E_AI_1.00.000019 or earlier will be flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

Triage is available with the CVSS v4.0 base score of 8.7 (HIGH), weighted further by each customer environment's compliance policy to reflect actual exposure and data-sensitivity classifications. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published by Acer, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the device's /v1/User/validate endpoint across the network.
AuthenticationNot required
No credentials or session token of any kind are required to query the endpoint and retrieve user profile data.
Victim interactionNot required
The attacker queries the endpoint directly; no action from any user or administrator on the device is needed.
Attack complexityDetail
Exploitation is reliable and condition-free; account identifiers are predictable, so automated enumeration requires no special timing, memory knowledge, or environmental setup.

Blast Radius

An attacker reads comprehensive user profile data sheets for every account stored on the device by iterating predictable user identifiers.
Harvested profile data may include personally identifiable information such as names, email addresses, phone numbers, or account credentials depending on what the device stores per profile.
Because enumeration is unauthenticated and automated, bulk harvesting of all user records on an exposed device is achievable in a single scripted pass.

How HarborGuard Handles This

Available on HarborGuard: images built on Acer Connect M6E 5G firmware at or below M6E_AI_1.00.000019 are matched against this CVE on every scan cycle. Because Acer has not yet published a fix, HarborGuard monitors the advisory on each ingest pass and will make a patched-image rebuild available the moment a fix version appears upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR against affected workloads will be opened automatically with no manual steps required. In the meantime, compensating controls worth evaluating include network-policy rules that restrict access to the device's management API to trusted subnets only, egress filtering to limit lateral data movement if the device is containerized or managed through a gateway image, and disabling or firewalling the /v1/User/validate endpoint at the network perimeter where firmware-level changes are not possible.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified