[GH-ISSUE #1781] (UPSTREAM) MeshCentral Security Vunlerability when version <1.1.20 #3052

New issue

Closed

opened 2026-03-14 06:22:30 +03:00 by kerem · 2 comments

kerem commented 2026-03-14 06:22:30 +03:00

Owner

Copy link

Originally created by @LPJon on GitHub (Mar 4, 2024).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1781

@wh1te909 Just reporting to make you aware that there has been a securty vulnerability reported for Meshcentral servers which are less than version 1.1.20. The link below will take you to the vulnerability explanation. I will note that I successfully manually updated Meshcentral myself to version 1.1.21 already but most users probably won't do that.

Here is the link:
MeshCentral cross-site websocket hijacking (CSWSH) vulnerability

A possible breach has already been detected a few days ago and that link can be found here:
"Accepted password for undefined" #5870

Originally created by @LPJon on GitHub (Mar 4, 2024). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1781 @wh1te909 Just reporting to make you aware that there has been a securty vulnerability reported for Meshcentral servers which are less than version 1.1.20. The link below will take you to the vulnerability explanation. I will note that I successfully manually updated Meshcentral myself to version 1.1.21 already but most users probably won't do that. Here is the link: [MeshCentral cross-site websocket hijacking (CSWSH) vulnerability](https://github.com/Ylianst/MeshCentral/security/advisories/GHSA-cp68-qrhr-g9h8) A possible breach has already been detected a few days ago and that link can be found here: [ "Accepted password for undefined" #5870 ](https://github.com/Ylianst/MeshCentral/issues/5870)

kerem closed this issue 2026-03-14 06:22:35 +03:00

kerem commented 2026-03-14 06:22:41 +03:00

Author

Owner

Copy link

@wh1te909 commented on GitHub (Mar 4, 2024):

I am aware, and this isn't the place to report security vulns, please see our security policy I have already tested mesh version 1.1.21 and it will be in the next release. The mesh security vuln is not easily exploitable (requires the attacker to hijack a subdomain you own). The issue you linked about undefined user has nothing to do with the mesh vuln.

<!-- gh-comment-id:1975530178 --> @wh1te909 commented on GitHub (Mar 4, 2024): I am aware, and this isn't the place to report security vulns, please see our [security policy](https://github.com/amidaware/tacticalrmm/blob/develop/SECURITY.md) I have already tested mesh version 1.1.21 and it will be in the next release. The mesh security vuln is not easily exploitable (requires the attacker to hijack a subdomain you own). The issue you linked about undefined user has nothing to do with the mesh vuln.

kerem commented 2026-03-14 06:22:46 +03:00

Author

Owner

Copy link

@LPJon commented on GitHub (Mar 4, 2024):

@wh1te909 Umm.....that was my bad. Sorry for incorrectly reporting this. I was in a hurry and didn't look.

<!-- gh-comment-id:1975797405 --> @LPJon commented on GitHub (Mar 4, 2024): @wh1te909 Umm.....that was my bad. Sorry for incorrectly reporting this. I was in a hurry and didn't look.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#3052

No description provided.