CVE-2026-25058

Vexa's unauthenticated internal transcript endpoint exposed by default

Assigner: GitHub_M
Reserved: 28.01.2026 Published: 20.04.2026 Updated: 20.04.2026

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint GET /internal/transcripts/{meeting_id} that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Vexa-ai
Product	vexa
Versions	Version < 0.10.0-260419-1910 is affected

Vendor

Vexa-ai

Product

vexa

Versions

Version < 0.10.0-260419-1910 is affected

References

Problem Types

CWE-306: Missing Authentication for Critical Function CWE
CWE-862: Missing Authorization CWE

CVE-2026-25058 PUBLISHED

Vexa's unauthenticated internal transcript endpoint exposed by default

Metrics

Product Status

References

Problem Types