CVE-2026-0856

Vulnerability

An improper access control vulnerability exists in the Mesalvo Meona server and client launcher components. The server does not verify the permissions of the supplied credentials, allowing any authenticated user—regardless of their assigned role—to access the administration panel. This affects Meona Client Launcher Component through version 19.06.2020 15:11:49 and Meona Server Component through version 2025.04 5+323020 [1].

Exploitation

An attacker only needs valid credentials for any regular user account (no administrative privileges required). By sending HTTP requests to the backend server with those credentials, the attacker can simply navigate to the admin panel URLs; the server will not check whether the user is authorized to access it. No additional tools or special network access beyond what the application normally uses are needed [1].

Impact

Successful exploitation grants the attacker full administrative access to the Meona admin panel. This provides complete control over all data and functions within the portal, leading to unauthorized disclosure of sensitive patient information, the ability to modify or delete records, and potential for further lateral movement across the healthcare system [1].

Mitigation

Mesalvo has not yet released an official fix for this vulnerability as of the publication date of the advisory [1]. No workaround is documented. The software is used in healthcare, so administrators should monitor vendor updates closely and consider network-level restrictions (e.g., VPN-only access to the admin interface) until a patch is available.