CVE-2026-49192— Summary Service Insecure Direct Object Reference
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Acer | Connect M6E 5G Portable WiFi Router | *≤ M6E_AI_1.00.000019 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49192
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Summary Service Insecure Direct Object Reference
Source: NVD (National Vulnerability Database)
Vulnerability Description
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Acer M6E 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Acer M6E是中国台湾宏碁(Acer)公司的一款便携式5G移动热点设备。 Acer M6E存在安全漏洞,该漏洞源于summary服务端点IDOR漏洞,未能验证用户对硬件序列号的所有权,可能导致设备数据被爬取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Acer | Connect M6E 5G Portable WiFi Router | * ~ M6E_AI_1.00.000019 | - |
II. Public POCs for CVE-2026-49192
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49192
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-49192 (1)
Same Patch Batch · Acer · 2026-06-04 · 26 CVEs total
| CVE-2026-50224 | Unauthenticated IPv6 WAN Management Exposure | |
| CVE-2026-50206 | VPN Command Injection Vulnerability | |
| CVE-2026-50205 | Plaintext Log Credential Leakage | |
| CVE-2026-50207 | Local Modem Manipulation via Binder Interfaces | |
| CVE-2026-50226 | Firmware Theft & IMEI Spoofing via Connect-OTA | |
| CVE-2026-50225 | Account Creation Exhaustion | |
| CVE-2026-50212 | Arbitrary Remote Device Unbinding | |
| CVE-2026-50211 | Exposed Factory Testing App Boundaries | |
| CVE-2026-50209 | MDM Server Registration Overriding | |
| CVE-2026-50210 | Weak Static Cryptographic Initialization Vectors | |
| CVE-2026-50213 | Bulk User Private Data Harvesting | |
| CVE-2026-50208 | Permissive TrustAllCerts TLS Verification | |
| CVE-2026-50214 | Shared Secret Quota Inflation | |
| CVE-2026-49204 | Hard-coded AWS Cognito Testing Accounts | |
| CVE-2026-49186 | Lack of MQTT Broker Topic Access Control Lists | |
| CVE-2026-49191 | Exposed Hard-coded M3WebServer Backend API Key | |
| CVE-2026-49189 | Broadcast Receiver Privilege Escalation | |
| CVE-2026-49190 | Missing Per-Instruction Authorization Checks | |
| CVE-2026-49202 | Unverified Meeting Recording Endpoints & Permissive CORS | |
| CVE-2026-49194 | SCREEN_CLICK Authentication Bypass |
Showing top 20 of 26 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same weakness: CWE-639
- CVE-2026-12204
ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral - CVE-2026-1291
Meow Gallery <= 5.4.4 - Missing Authorization to Authenticat - CVE-2026-54361
MISP mass assignment vulnerabilities allow unauthorized modi - CVE-2026-54360
MISP sharing group creation mass assignment allows unauthori - CVE-2026-53726
Parse Server: Relation `$relatedTo` query bypasses `protecte
V. Comments for CVE-2026-49192
No comments yet