How is CVE-2026-50214 exploited?

Network reachability (required): The /v1/Plan endpoint is exposed over the network, so an attacker must be able to reach the router's HTTP service, either from the local network segment or any routable path to the device. Authentication (not-required): The service uses a shared global API token rather than per-user authentication, meaning no valid account or credential is needed to issue administrative commands. Victim interaction (not-required): The attacker sends requests directly to the endpoint; no user action, click, or session is required to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward and reliable with no race conditions, memory layout dependencies, or other environmental prerequisites to satisfy.

What is the impact of CVE-2026-50214?

Reads and enumerates all existing network access plans, exposing pricing and quota configuration data. Creates arbitrary zero-cost network access plans, allowing free or unlimited network access without payment. Modifies billing and quota state for the router, undermining the integrity of any metered or managed access controls. Disrupts legitimate plan management by flooding the plan database or overwriting existing plan records.

Back to search

CRITICALCVE-2026-50214Published 2026-06-04Modified 2026-06-04CNA Acer

CVE-2026-50214: Shared Secret Quota Inflation

The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in the Acer Connect M6E 5G Portable WiFi Router allows any network-reachable attacker to reach the /v1/Plan service administrative endpoint without credentials. The service relies on a shared global API token that is not enforced per-user, meaning no login or privilege is required to issue full administrative commands. Successful exploitation lets an attacker create arbitrary zero-cost network access plans, effectively granting free or unlimited network access and tampering with billing and quota data. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-50214 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images derived from affected Acer Connect M6E base layers. Any image at firmware version M6E_AI_1.00.000019 or earlier is flagged automatically on the next pipeline scan.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v4.0 vector and applies per-environment compliance policy weighting to prioritize routing, ensuring the finding reaches the appropriate team inbox inside each customer organization without manual filtering.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Acer releases a remediated firmware version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The /v1/Plan endpoint is exposed over the network, so an attacker must be able to reach the router's HTTP service, either from the local network segment or any routable path to the device.
AuthenticationNot required
The service uses a shared global API token rather than per-user authentication, meaning no valid account or credential is needed to issue administrative commands.
Victim interactionNot required
The attacker sends requests directly to the endpoint; no user action, click, or session is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and reliable with no race conditions, memory layout dependencies, or other environmental prerequisites to satisfy.

Blast Radius

Reads and enumerates all existing network access plans, exposing pricing and quota configuration data.
Creates arbitrary zero-cost network access plans, allowing free or unlimited network access without payment.
Modifies billing and quota state for the router, undermining the integrity of any metered or managed access controls.
Disrupts legitimate plan management by flooding the plan database or overwriting existing plan records.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50214 at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment Acer publishes a remediated firmware version. For customers with auto-remediation enabled, the full flow (rebuild, regression test run, and PR opened against affected workloads) triggers without manual intervention. In the meantime, compensating controls are advisable: network-policy isolation to restrict access to the router management interface to trusted subnets only, egress filtering to prevent the /v1/Plan endpoint from being reached from untrusted network segments, and feature-flag or firewall gating of the administrative API where the router firmware supports it. This CVE carries a CVSS v4.0 score of 9.3 CRITICAL, so affected images should be treated as high-priority findings until an upstream patch is available.

See how HarborGuard automates this

Affected packages

Acer / Connect M6E 5G Portable WiFi Router
≤ M6E_AI_1.00.000019

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

community.acer.com

Metrics

Get notified