Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update.
This issue affects KlinikaXP: before 5.39.01.01. and KlinikaXP Insertino before 3.1.0.1
Beside removing the hardcoded credentials from the code, previously exposed credentials were also rotated preventing further attack attempts.
AnalysisAI
Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.
Technical ContextAI
This vulnerability stems from CWE-798 (Use of Hard-coded Credentials), a critical authentication weakness where sensitive credentials are embedded directly in application source code or binaries. The affected products—Klinika XP (CPE: cpe:2.3:a:bri:klinikaxp:*:*:*:*:*:*:*:*) and KlinikaXP Insertino (CPE: cpe:2.3:a:bri:klinikaxp_insertino:*:*:*:*:*:*:*:*)—are medical clinic management applications developed by BRI that use FTP for software distribution. An attacker with access to compiled binaries, source code repositories, or reverse-engineering capabilities can extract these credentials and authenticate to the FTP service without legitimate authorization. The architecture assumes security through obscurity rather than proper credential management, and the use of FTP (an unencrypted protocol) compounds the risk by allowing credential interception on the wire.
RemediationAI
Immediately upgrade KlinikaXP to version 5.39.01.01 or later and KlinikaXP Insertino to version 3.1.0.1 or later. These versions remove hard-coded credentials from the codebase. Contact BRI to confirm that previously exposed credentials have been rotated on all FTP servers and authentication systems. Until patching is complete, implement network segmentation to restrict FTP access to trusted administrative networks only, disable FTP where possible in favor of SFTP or other encrypted protocols, and monitor FTP server logs for unauthorized access attempts. Audit all client machines for unexpected or unsigned updates installed between the vulnerability discovery date and patch deployment, and review update package integrity using digital signatures if available. See vendor advisory at https://www.klinikaxp.pl/ and https://cert.pl/posts/2026/03/CVE-2026-1958 for additional guidance.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14411
GHSA-jwgm-6w3j-r9x7