Category
CVE
CVE-2025-49603 - Improper access control of device groups in Mender Server
An ethical hacker on our HackerOne private bug bounty program recently discovered and disclosed access control issues with device groups in Mender Server.
CVE-2024-55959 - Insecure permissions on private key file generated by the Mender Client
A customer recently notified us of a security issue in Mender. On some versions, mender-auth generates private key files with non-strict file permissions.
CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server
Recently discovered security vulnerabilities in Mender Server have been fixed.
CVE-2024-46948 - Missing filtering based on RBAC device groups
A customer recently notified us of a security issue in Mender. For users of RBAC and device groups, one specific API did not filter devices correctly.
CVE-2024-37019 - Account takeover using SAML
CVE-2024-37019 is an account-takeover vulnerability in Mender Enterprise which was fixed in versions 3.6.4 and 3.7.4.
CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users
We recently discovered vulnerabilities in Mender Enterprise which relate to access control. Low-privileged read-only users had access to editing settings they were not supposed to edit and see potentially sensitive information which was not necessary.
CVE-2022-32290 - Mender Client listening on all the interfaces
We recently discovered a vulnerability in the Mender Client versions 3.2.0, 3.2.1, and 3.2.2. The client listens on a random, unprivileged TCP port and exp
CVE-2022-29555 & CVE-2022-29556 - vulnerabilities in iot-manager and deviceconnect
We recently discovered two vulnerabilities in Mender, thanks to the security researchers April Chaire, Jeff Hofmann, Joey Perme, Nathaniel Singer and Matte
CVE-2021-35342 - useradm incorrect access control vulnerability
We recently discovered a vulnerability in Mender Enterprise, thanks to the security researcher Mubassir Kamdar, and we have now fixed it. When the User Adm