← All CVEs

CVE-2026-49197

CRITICAL 10

Published 2026-05-29 · Last modified 2026-05-29

Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.

ELEVATED IMPACT

Severe if exploited (CVSS 10), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.3%chance of exploitation in 30 days · 25th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

10CVSS 4.0 · CRITICAL

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Acer

Products Predator Connect W6x

Weakness (CWE)

  • CWE-287: Improper authentication

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Sources: NVD · CVE.org · EPSS