Skip to main content

Wertheim SafeController CVE-2026-34027

| EUVDEUVD-2026-36710 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-15 SEC-VLab GHSA-gr5m-9xq3-vhc7
5.3
CVSS 4.0 · Vendor: SEC-VLab
Share

Severity by source

Vendor (SEC-VLab) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-accessible endpoint requires only low-privilege authentication; integrity impact is low (arbitrary file write); no confirmed confidentiality or availability impact; scope unchanged absent confirmed server-side execution.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (SEC-VLab).

CVSS VectorVendor: SEC-VLab

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 12:27 vuln.today

DescriptionCVE.org

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role or permission level can spoof the Content-Type value and upload arbitrary file content.

AnalysisAI

Unrestricted file upload in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows any authenticated user, regardless of role or permission level, to bypass server-side file type controls at the /safe/contract/uploadcustomdocuments endpoint by spoofing the HTTP Content-Type header with a value containing allowed substrings such as 'pdf', 'jpeg', 'tiff', or 'png'. Because validation relies entirely on a client-supplied header rather than inspecting actual file content or magic bytes, arbitrary file content can be written to the server. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Technical ContextAI

The affected product is identified by CPE cpe:2.3:a:wertheim_gmbh:wertheim_safecontroller_software_for_vault_rooms_(safe_deposit_locker_system):*:*:*:*:*:*:*:*, which is physical safe-deposit locker management software by Wertheim GmbH. The vulnerability maps to CWE-434 (Unrestricted Upload of File with Dangerous Type), a class of flaw in which server logic trusts the client's declaration of content type rather than independently verifying it through file content inspection, magic byte analysis, or sandboxed processing. The validation at /safe/contract/uploadcustomdocuments performs only a substring presence check against the Content-Type request header - if the header value contains any of the strings 'pdf', 'jpeg', 'tiff', or 'png', the upload is accepted. This is trivially bypassed by crafting a Content-Type such as 'application/pdf+evil' or 'image/jpeg.php', which satisfies the check while delivering arbitrary payload content. The root cause is the absence of any server-side content inspection (e.g., libmagic, MIME sniffing of file bytes, or allowlist-based extension enforcement after file parsing).

RemediationAI

No vendor-released patch or fixed version has been identified in the available data at time of analysis. Organizations running Wertheim SafeController Software AssemblyVersion 6.15.8328.28014 should contact Wertheim GmbH directly referencing the SEC-VLab disclosure at https://r.sec-consult.com/wertheim to obtain patch status and availability. As a compensating control, restrict access to the /safe/contract/uploadcustomdocuments endpoint at the network or application firewall level to only explicitly trusted user segments, reducing the pool of authenticated users who can reach the endpoint (trade-off: may disrupt legitimate document upload workflows). Additionally, configure the web server to serve uploaded files from a directory that is not web-executable (e.g., outside the webroot or with execution disabled via server policy), which eliminates the most severe escalation path (code execution) even if arbitrary files can be written. Deploying a web application firewall rule to inspect Content-Type header values against a strict allowlist of exact MIME types (not substring matches) provides an additional detection layer. Audit existing uploaded files for unexpected types or executable content.

Share

CVE-2026-34027 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy