GHSA-9f32-pf5h-p947HighCVSS 6.5

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table...

Published
June 29, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.

🔗 References (6)