Category
CVE
CVE-2026-49009 & CVE-2026-33552 - Input sanitization and access control issues in Mender Server
Two security vulnerabilities recently discovered and fixed in Mender Server.
CVE-2025-67903 - Signature verification bypass in Mender Client
Security vulnerability enabling signature verification bypass in Mender Client version 5.0.0 to 5.0.3.
CVE-2025-49603 - Improper access control of device groups in Mender Server
An ethical hacker on our HackerOne private bug bounty program recently discovered and disclosed access control issues with device groups in Mender Server.
CVE-2024-55959 - Insecure permissions on private key file generated by the Mender Client
A customer recently notified us of a security issue in Mender. On some versions, mender-auth generates private key files with non-strict file permissions.
CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server
Recently discovered security vulnerabilities in Mender Server have been fixed.
CVE-2024-46948 - Missing filtering based on RBAC device groups
A customer recently notified us of a security issue in Mender. For users of RBAC and device groups, one specific API did not filter devices correctly.
CVE-2024-37019 - Account takeover using SAML
CVE-2024-37019 is an account-takeover vulnerability in Mender Enterprise which was fixed in versions 3.6.4 and 3.7.4.
CVE-2022-45929 & CVE-2022-41324 — Improper access control for low-privileged users
We recently discovered vulnerabilities in Mender Enterprise which relate to access control. Low-privileged read-only users had access to editing settings they were not supposed to edit and see potentially sensitive information which was not necessary.
CVE-2022-32290 - Mender Client listening on all the interfaces
We recently discovered a vulnerability in the Mender Client versions 3.2.0, 3.2.1, and 3.2.2. The client listens on a random, unprivileged TCP port and exp