Skip to main content

Klinikaxp Insertino CVE-2026-1958

| EUVDEUVD-2026-14411 HIGH
Use of Hard-coded Credentials (CWE-798)
2026-03-23 CERT-PL GHSA-jwgm-6w3j-r9x7
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:18 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.1.0.1,5.39.01.01
EUVD ID Assigned
Mar 23, 2026 - 13:00 euvd
EUVD-2026-14411
Analysis Generated
Mar 23, 2026 - 13:00 vuln.today
CVE Published
Mar 23, 2026 - 12:40 nvd
HIGH 8.7

DescriptionCVE.org

Use of hard-coded credentials in Klinika XP and KlinikaXP Insertino allowed an unauthorized attacker access to several internal services. Critically, this included access to the FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update.

This issue affects KlinikaXP: before 5.39.01.01. and KlinikaXP Insertino before 3.1.0.1

Beside removing the hardcoded credentials from the code, previously exposed credentials were also rotated preventing further attack attempts.

AnalysisAI

Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.

Technical ContextAI

This vulnerability stems from CWE-798 (Use of Hard-coded Credentials), a critical authentication weakness where sensitive credentials are embedded directly in application source code or binaries. The affected products—Klinika XP (CPE: cpe:2.3:a:bri:klinikaxp:*:*:*:*:*:*:*:*) and KlinikaXP Insertino (CPE: cpe:2.3:a:bri:klinikaxp_insertino:*:*:*:*:*:*:*:*)—are medical clinic management applications developed by BRI that use FTP for software distribution. An attacker with access to compiled binaries, source code repositories, or reverse-engineering capabilities can extract these credentials and authenticate to the FTP service without legitimate authorization. The architecture assumes security through obscurity rather than proper credential management, and the use of FTP (an unencrypted protocol) compounds the risk by allowing credential interception on the wire.

RemediationAI

Immediately upgrade KlinikaXP to version 5.39.01.01 or later and KlinikaXP Insertino to version 3.1.0.1 or later. These versions remove hard-coded credentials from the codebase. Contact BRI to confirm that previously exposed credentials have been rotated on all FTP servers and authentication systems. Until patching is complete, implement network segmentation to restrict FTP access to trusted administrative networks only, disable FTP where possible in favor of SFTP or other encrypted protocols, and monitor FTP server logs for unauthorized access attempts. Audit all client machines for unexpected or unsigned updates installed between the vulnerability discovery date and patch deployment, and review update package integrity using digital signatures if available. See vendor advisory at https://www.klinikaxp.pl/ and https://cert.pl/posts/2026/03/CVE-2026-1958 for additional guidance.

Share

CVE-2026-1958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy