{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25058", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.889Z", "datePublished": "2026-04-20T16:03:06.639Z", "dateUpdated": "2026-04-20T16:12:27.988Z"}, "containers": {"cna": {"title": "Vexa's unauthenticated internal transcript endpoint exposed by default", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh"}], "affected": [{"vendor": "Vexa-ai", "product": "vexa", "versions": [{"version": "< 0.10.0-260419-1910", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:03:06.639Z"}, "descriptions": [{"lang": "en", "value": "Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue."}], "source": {"advisory": "GHSA-w73r-2449-qwgh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:12:23.657334Z", "id": "CVE-2026-25058", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:12:27.988Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25058", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:12:23.657334Z"}}}], "references": [{"url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:12:15.591Z"}}], "cna": {"title": "Vexa's unauthenticated internal transcript endpoint exposed by default", "source": {"advisory": "GHSA-w73r-2449-qwgh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Vexa-ai", "product": "vexa", "versions": [{"status": "affected", "version": "< 0.10.0-260419-1910"}]}], "references": [{"url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh", "name": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:03:06.639Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25058", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:12:27.988Z", "dateReserved": "2026-01-28T14:50:47.889Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T16:03:06.639Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue."}], "id": "CVE-2026-25058", "lastModified": "2026-04-20T19:03:07.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T16:16:41.763", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-w73r-2449-qwgh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T17:20:06.481721+00:00", "value": {"mitigation_remediation": ["Upgrade Vexa to version 0.10.0\u2011260419\u20111910 or later.", "Block external network traffic to the internal transcripts endpoint using firewall or reverse\u2011proxy rules.", "If an upgrade cannot be performed immediately, restrict access to the /internal/transcripts/{meeting_id} endpoint to trusted IP ranges and monitor for suspicious activity."], "summary": {"action": "Patch", "impact": "Unauthorized Data Exposure"}, "threat_synthesis": {"affected_systems": "The issue affects the Vexa meeting bot and transcription API supplied by Vexa\u2011ai. Any deployment of the transcription\u2011collector service that is built from versions prior to 0.10.0\u2011260419\u20111910 is vulnerable. Upgrading to the 0.10.0\u2011260419\u20111910 release or newer removes the exposed internal endpoint.", "description_and_impact": "The vulnerability is an unauthenticated and unauthorised internal endpoint GET /internal/transcripts/{meeting_id} that allowed any attacker to retrieve transcript data for any meeting. The weakness falls under missing authentication (CWE\u2011306) and missing authorization (CWE\u2011862). An attacker can enumerate meeting identifiers, download full transcripts, and therefore obtain confidential business conversations, passwords, and personal data, representing a significant breach of confidentiality.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity. The EPSS score is not available, but the lack of authentication means that once the service is reachable, an attacker can request transcript data with a simple HTTP GET. Because the endpoint is logical internal, the attack vector is likely in an internal network or a publicly exposed API; therefore, any organization running a vulnerable version on a network that can be reached by an attacker faces a high risk of confidential data leakage. The vulnerability is not listed in CISA KEV, but the lack of safeguards makes exploitation straightforward once the attacker has network access."}}}}, "created": "2026-04-20T17:30:12.650317+00:00", "updated": "2026-04-20T17:30:12.650328+00:00", "vendors": []}