CVE-2026-25602

Vulnerability

The Meona Client Launcher Component (version 19.06.2020 15:11:49) and Meona Server Component (through version 2025.04 5+323020) lack proper verification of data authenticity. The backend server does not validate permissions of the supplied credentials, allowing a regular (non-admin) authenticated user to abuse the message sending functionality to send emails to arbitrary recipients without restriction [1].

Exploitation

An attacker with valid but non-privileged user credentials can directly access the message sending feature. Because the server fails to verify user permissions, the attacker can craft messages and submit them via the client-launcher interface, targeting any email address [1]. The attacker does not need admin access or any special network position beyond being an authenticated user of the Meona system.

Impact

Successful exploitation enables email spoofing — the attacker can send messages that appear to originate from the legitimate Meona system to any external email address. This could be leveraged for phishing attacks against patients, staff, or other parties, undermining trust in communications from the healthcare application [1].

Mitigation

As of the publication date (2026-05-20), no fixed version has been released; the vulnerabilities were disclosed during a coordinated disclosure process supported by the Austrian CERT [1]. Users should monitor vendor advisories for patches. A workaround is not described in the available references [1].