How to fix CVE-2025-69907?

Within 24 hours: Identify all Newgen OmniDocs instances in your environment and restrict network access to the /omnidocs/GetListofCabinet endpoint to trusted internal networks only. Within 7 days: Implement WAF rules to require authentication tokens/session validation before allowing API requests to affected endpoints, and audit logs for unauthorized access attempts. Within 30 days: Contact Newgen for patch timeline, evaluate network segmentation options, and consider disabling the cabinet enumeration API if business operations permit.

CVE-2025-69907

HIGH

2026-01-23 [email protected]

Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 23, 2026 - 15:16 nvd

HIGH 7.5

DescriptionNVD

An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks.

AnalysisAI

An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. [CVSS 7.5 HIGH]

Technical ContextAI

Classified as CWE-284 (Improper Access Control). An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks.

Affected ProductsAI

An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/Ge

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-69907 vulnerability details – vuln.today

Back

CVE-2025-69907

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code