Back to overview

CVE-2026-58446

MEDIUM
6.5
CVSS 3.1
Description
Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because the nginx front-end does not apply the auth_request gate to that path and the MCP server auto-mints a valid internal session token for the configured user. A remote unauthenticated attacker can invoke MCP tools such as generate_presentation, performing authenticated application actions, consuming the operators configured LLM API keys, and creating presentations in the operators instance. The Electron desktop build is not affected (MCP disabled).

Metadata

CVE ID
CVE-2026-58446
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-30 19:09 UTC
Published
2026-06-30 21:05 UTC
Last updated
2026-06-30 21:05 UTC
Primary CWE
CWE-306
Missing Authentication for Critical Function
Vendor / Product
presenton / presenton
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected products (1)
VendorProductPlatformVersions
presenton presenton 0 < 0.8.8-beta
Weakness (CWE)
CWESourceDescription
CWE-306 cna Missing Authentication for Critical Function
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Back to overview