Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
AnalysisAI
Denial of service in M-Files Server versions prior to 26.5.16015.0, 26.2 LTS, and 25.8 LTS SR3 allows an authenticated remote attacker to crash the MFserver process, disrupting document management services for all connected users. The flaw is reachable over the network with low privileges and no user interaction, but has no impact on confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Technical ContextAI
M-Files Server is the backend service of M-Files Corporation's enterprise document management and information governance platform, exposing the MFserver process to authenticated client connections. The weakness is classified as CWE-1286 (Improper Validation of Syntactic Correctness of Input), indicating that the server fails to properly validate the structural correctness of input it receives from authenticated clients, leading the MFserver process to terminate unexpectedly. The affected CPE cpe:2.3:a:m-files_corporation:m-files_server covers all M-Files Server installations below the listed fixed builds across the current, 26.2 LTS, and 25.8 LTS release trains.
RemediationAI
Vendor-released patch: upgrade M-Files Server to 26.5.16015.0 or later on the current train, to 26.2 LTS, or to 25.8 LTS SR3 depending on the deployed release line, as published in the M-Files advisory at https://empower.m-files.com/security-advisories/CVE-2026-0983. Until patching is possible, restrict M-Files Server access to trusted networks and reduce the population of accounts that can authenticate to the server - for example by tightening AD group membership for M-Files logins and disabling unused or test accounts - accepting that this will block legitimate remote or contractor access and is only a partial mitigation since any retained authenticated user can still trigger the crash. Operationally, ensure the MFserver process is supervised so that an induced crash auto-restarts (via the Windows service recovery settings) and monitor for repeated unexpected service stops as a detection signal.
More in M Files Server
View allLack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authe
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLD
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specif
A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 2
Desktop component service allows lateral movement between sessions in M-Files before 23.4.12455.0. Rated high severity (
Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allow
A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API me
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonym
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle
Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive
Blind server-side request forgery in M-Files Server before version 26.3 allows unauthenticated remote attackers to force
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30767
GHSA-x6cg-7p5m-7wcc