No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Wed, 01 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 30 Jun 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PASSWORD), is reachable unauthenticated at /mcp because the nginx front-end does not apply the auth_request gate to that path and the MCP server auto-mints a valid internal session token for the configured user. A remote unauthenticated attacker can invoke MCP tools such as generate_presentation, performing authenticated application actions, consuming the operators configured LLM API keys, and creating presentations in the operators instance. The Electron desktop build is not affected (MCP disabled). | |
| Title | Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint | |
| First Time appeared |
Presenton
Presenton presenton |
|
| Weaknesses | CWE-306 | |
| CPEs | cpe:2.3:a:presenton:presenton:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Presenton
Presenton presenton |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-01T13:58:28.447Z
Reserved: 2026-06-30T19:09:07.025Z
Link: CVE-2026-58446
Updated: 2026-07-01T13:58:15.327Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T13:30:15Z