Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable HTTP endpoint with low-complexity traversal payload, requires any authenticated account so PR:L, no UI, and impact is arbitrary file read so C:H with I:N and A:N.
Primary rating from Vendor (SEC-VLab).
CVSS VectorVendor: SEC-VLab
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries.
AnalysisAI
Authenticated path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) - software used to manage vault rooms and safe deposit locker systems - allows any logged-in user to read arbitrary files from the host via the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. Successful exploitation exposes application log files (which may contain credentials or session data) and application binaries, enabling secondary attacks against the safe deposit locker infrastructure. No public exploit identified at time of analysis, and the issue was disclosed by SEC Consult Vulnerability Lab (SEC-VLab).
Technical ContextAI
The vulnerable component is the /safe/selfservice/openselfservicedocument endpoint of Wertheim SafeController, a .NET-based management application (per the AssemblyVersion identifier) deployed in physical safe deposit / vault-room environments. The CWE-23 (Relative Path Traversal) classification indicates the application takes the user-supplied documentName parameter and concatenates it into a filesystem path without normalizing or restricting traversal sequences such as '..\' or '../'. As a result, the file-retrieval routine, which is intended to serve documents from a designated self-service directory, can be coerced into reading any file that the application's service account is permitted to open on the underlying host.
RemediationAI
No vendor-released patch identified at time of analysis - the SEC Consult advisory at https://r.sec-consult.com/wertheim should be consulted for any updated fix version published after disclosure, and operators of Wertheim SafeController 6.15.8328.28014 should contact Wertheim GmbH (https://wertheim-safes.com/safe-deposit-box-management/) directly to obtain a hardened build. Until a patch is available, restrict network reachability of the /safe/selfservice/openselfservicedocument endpoint to a management VLAN or jump host (side effect: blocks legitimate self-service document retrieval for remote users), enforce a web application firewall rule that rejects documentName values containing '..', '%2e%2e', backslashes, or absolute path indicators (side effect: may break filenames legitimately containing those byte sequences), tighten the service account so it cannot read log directories or binary install paths outside the document store, and rotate any credentials, API keys, or session secrets that may have been written to the now-readable application logs.
Authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables low-privileged authen
Cross-branch authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an authen
Path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables an authenticated user holdi
Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotecte
Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables loca
Unrestricted file upload in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows any authenticated
IP restriction bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an attacker holding v
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36709
GHSA-qcqj-3f78-3wfq