VYPR
High severity7.5NVD Advisory· Published Apr 20, 2026· Updated Apr 23, 2026

CVE-2026-25058

CVE-2026-25058

Description

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint GET /internal/transcripts/{meeting_id} that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Vexa/Vexa2 versions
    cpe:2.3:a:vexa:vexa:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:vexa:vexa:*:*:*:*:*:*:*:*range: <=0.10
    • (no CPE)range: <0.10.0-260419-1910

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.