Category

CVE

    CVE-2025-49603 - Improper access control of device groups in Mender Server

    CVE-2025-49603 - Improper access control of device groups in Mender Server

    An ethical hacker on our HackerOne private bug bounty program recently discovered and disclosed access control issues with device groups in Mender Server.
    CVE-2024-55959 - Insecure permissions on private key file generated by the Mender Client

    CVE-2024-55959 - Insecure permissions on private key file generated by the Mender Client

    A customer recently notified us of a security issue in Mender. On some versions, mender-auth generates private key files with non-strict file permissions.
    CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

    CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

    Recently discovered security vulnerabilities in Mender Server have been fixed.
    CVE-2024-46948 - Missing filtering based on RBAC device groups

    CVE-2024-46948 - Missing filtering based on RBAC device groups

    A customer recently notified us of a security issue in Mender. For users of RBAC and device groups, one specific API did not filter devices correctly.
    CVE-2024-37019 - Account takeover using SAML

    CVE-2024-37019 - Account takeover using SAML

    CVE-2024-37019 is an account-takeover vulnerability in Mender Enterprise which was fixed in versions 3.6.4 and 3.7.4.
    CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users

    CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users

    We recently discovered vulnerabilities in Mender Enterprise which relate to access control. Low-privileged read-only users had access to editing settings they were not supposed to edit and see potentially sensitive information which was not necessary.
    CVE-2022-32290 - Mender Client listening on all the interfaces | Mender

    CVE-2022-32290 - Mender Client listening on all the interfaces

    We recently discovered a vulnerability in the Mender Client versions 3.2.0, 3.2.1, and 3.2.2. The client listens on a random, unprivileged TCP port and exp
    CVE-2022-29555 and CVE-2022-29556 - vulnerabilities in iot-manager and deviceconnect | Mender

    CVE-2022-29555 & CVE-2022-29556 - vulnerabilities in iot-manager and deviceconnect

    We recently discovered two vulnerabilities in Mender, thanks to the security researchers April Chaire, Jeff Hofmann, Joey Perme, Nathaniel Singer and Matte
    CVE-2021-35342 - useradm incorrect access control vulnerability | Mender

    CVE-2021-35342 - useradm incorrect access control vulnerability

    We recently discovered a vulnerability in Mender Enterprise, thanks to the security researcher Mubassir Kamdar, and we have now fixed it. When the User Adm