What is the CVSS score of CVE-2026-2493?

CVE-2026-2493 has a CVSS 3.0 base score of 7.5 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 10.3%.

Which versions of Icewarp are affected by CVE-2026-2493?

CVE-2026-2493 presents a high-risk vulnerability in IceWarp collaboration software that could allow unauthenticated attackers to access sensitive files with root-level privileges.

How to fix or mitigate CVE-2026-2493?

Within 24 hours: Inventory all IceWarp deployments and assess network exposure; isolate affected systems or restrict network access if business-critical. Within 7 days: Implement WAF rules to block directory traversal patterns targeting IceWarp; apply network segmentation to limit lateral movement if compromise occurs. Within 30 days: Engage IceWarp vendor for patch timeline; evaluate migration to alternative collaboration platforms if patch availability remains unclear; conduct vulnerability scanning of affected systems for signs of exploitation.

Icewarp CVE-2026-2493

EUVD-2026-12109 HIGH

Path Traversal (CWE-22)

2026-03-13 zdi

Path Traversal Information Disclosure Icewarp

7.5

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 13, 2026 - 21:01 euvd

EUVD-2026-12109

Analysis Generated

Mar 13, 2026 - 21:01 vuln.today

CVE Published

Mar 13, 2026 - 20:42 nvd

HIGH 7.5

DescriptionCVE.org

IceWarp collaboration Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability.

The specific flaw exists within handling of the ticket parameter provided to the collaboration endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-25440.

AnalysisAI

IceWarp collaboration platform contains an unauthenticated directory traversal vulnerability that allows remote attackers to read sensitive files from the server. The flaw exists in HTTP request handling, enabling access to configuration files, user data, and potentially email contents stored on the server.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send crafted request with path traversal payload in ticket parameter

Exploit

Bypass path validation in collaboration endpoint

Execution

Access sensitive files outside intended directory

Impact

Disclose information as root user

Access

Send crafted request with path traversal payload in ticket parameter

Exploit

Bypass path validation in collaboration endpoint

Execution

Access sensitive files outside intended directory

Impact

Disclose information as root user

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against IceWarp installations with collaboration endpoint exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5, EPSS 10.3%. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends traversal requests to the IceWarp HTTP interface, reading configuration files containing database credentials and SMTP settings. They access stored email files, extracting confidential business communications and attachment files.
Remediation	Apply the IceWarp security patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all IceWarp deployments and assess network exposure; isolate affected systems or restrict network access if business-critical. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-2493 vulnerability details – vuln.today

Back

Icewarp CVE-2026-2493

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code