Skip to main content

Wertheim SafeController CVE-2026-34024

| EUVDEUVD-2026-36707 HIGH
Missing Authorization (CWE-862)
2026-06-15 SEC-VLab GHSA-69r2-vwm9-7qqc
8.6
CVSS 4.0 · Vendor: SEC-VLab
Share

Severity by source

Vendor (SEC-VLab) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable web endpoints (AV:N), no special conditions (AC:L), requires a low-privilege authenticated session (PR:L), no user interaction (UI:N); cross-branch file read and write give C:H/I:H, no availability impact (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (SEC-VLab).

CVSS VectorVendor: SEC-VLab

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 12:22 vuln.today

DescriptionCVE.org

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches.

AnalysisAI

Authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables low-privileged authenticated users to reach hidden web endpoints and perform restricted operations including branch switching, arbitrary file upload/download, and viewing details of arbitrary branches. The flaw stems from missing access control on endpoints that exist server-side but are not surfaced in the UI, breaking the product's tenancy/segregation between branches. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.6 (high).

Technical ContextAI

Wertheim SafeController is the management software for Wertheim vault-room and safe-deposit-locker systems (CPE cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_software_for_vault_rooms_(safe_deposit_locker_system)). Authorization in the application appears to be enforced primarily by hiding controls in the frontend rather than re-checking permissions on the server, the classic CWE-862 (Missing Authorization) pattern. Because the affected endpoints accept HTTP requests directly from any authenticated session, the trust boundary between low-privilege users and administrator/branch-restricted functionality is effectively non-existent at the API layer, and branch isolation (the multi-tenant boundary that keeps one locker branch separate from another) collapses.

RemediationAI

No vendor-released patch identified at time of analysis; consult Wertheim directly and monitor the SEC-Consult advisory at https://r.sec-consult.com/wertheim for the coordinated disclosure and any fixed AssemblyVersion above 6.15.8328.28014. Until a fix is published, restrict reachability of the SafeController web application to a dedicated management VLAN and require VPN or jump-host access (this prevents casual abuse but does not stop a malicious low-privileged operator account), aggressively review and minimize the number of low-privilege user accounts that exist (every such account is a potential attacker under this CVE), enable verbose web-server access logging and alert on requests to administrative or branch-management URL paths originating from non-administrator sessions, and disable or remove any test/demo accounts. Avoid relying on frontend role hiding as a control - the affected endpoints are reachable directly regardless of UI state.

Share

CVE-2026-34024 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy