CVE-2026-22315

Vulnerability

CVE-2026-22315 is an incorrect privilege assignment vulnerability in the Mesalvo Meona Client Launcher Component (through version 19.06.2020 15:11:49) and the Meona Server Component (through version 2025.04 5+323020). The backend server does not verify user permissions, enabling users with regular credentials to access the admin panel and use the SQL editor. This allows exporting user data, including cleartext passwords [1].

Exploitation

An attacker with only regular (non-admin) credentials can access the admin panel due to the lack of server-side permission verification [1]. Once inside the admin interface, the SQL editor is accessible, allowing the attacker to execute queries that export user data, including cleartext passwords. No additional privileges or special network access beyond standard HTTP connectivity to the backend are required [1].

Impact

Successful exploitation results in the disclosure of cleartext user passwords and other sensitive user data. This information disclosure can lead to unauthorized access to patient data, lateral movement within the application, and other malicious actions [1]. The attacker gains a significant advantage by obtaining credentials in plaintext.

Mitigation

Mesalvo has not yet released a public patch for the affected versions. Users should monitor vendor advisories for updates and apply patches when available. As a workaround, restrict network access to the Meona server to trusted hosts and enforce strict access controls. Note that this vulnerability is not listed in CISA KEV at the time of writing [1].