Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user.
This issue affects mpGabinet version 23.12.19 and below.
AnalysisAI
Client-side authentication bypass in mpGabinet 23.12.19 and earlier allows local authenticated attackers to impersonate arbitrary users by patching the application binary. An attacker with legitimate low-privilege access to the system can manipulate the compiled application code to skip login verification entirely, gaining unauthorized access as any user including administrators. EPSS score not available for this 2026 CVE; no active exploitation or public POC confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-603 (Use of Client-Side Authentication), a fundamental architectural flaw where security-critical authentication logic resides in the client application rather than being enforced server-side. In mpGabinet, the login verification process executes within the local application binary, making it susceptible to reverse engineering and binary patching. An attacker can use tools like hex editors, debuggers, or binary patchers to modify the compiled code-such as changing conditional jump instructions, NOP-ing out authentication checks, or hardcoding success values-to bypass the verification routine. Because the backend server trusts the client's assertion of authenticated status rather than independently validating credentials, the compromised client can present itself as any user. This design pattern violates the principle that clients are untrusted and all security enforcement must occur server-side. The CPE cpe:2.3:a:binsoft:mpgabinet identifies the vendor as Binsoft and confirms this is an application-layer vulnerability affecting all instances of the software.
RemediationAI
Upgrade to mpGabinet version later than 23.12.19 if a patched release is available-check the vendor website at https://www.mpgabinet.pl/ and the CERT-PL advisory at https://cert.pl/posts/2026/04/CVE-2026-40550/ for update announcements, though no specific fix version is confirmed in available data at time of analysis. Because this is an architectural vulnerability (CWE-603), effective remediation requires the vendor to redesign authentication to enforce all verification server-side rather than client-side. Until a patched version with server-enforced authentication is deployed, implement strict compensating controls: restrict local access to systems running mpGabinet to only fully trusted users through OS-level access controls and group policies; deploy application whitelisting or integrity monitoring solutions (Windows Defender Application Control, AppLocker, HIDS) to detect unauthorized binary modifications; implement file system permissions preventing non-administrative users from writing to the mpGabinet installation directory; enable audit logging for all mpGabinet authentication events and cross-reference with backend server logs to detect anomalies indicating bypassed authentication. Note that these mitigations only raise the bar for exploitation-they do not eliminate the underlying vulnerability. Organizations handling sensitive data should consider migrating to alternative solutions with server-enforced authentication if vendor patch timeline is uncertain.
mpGabinet 23.12.19 and earlier suffers from privilege escalation due to excessive database privileges assigned to the ap
Remote command execution in mpGabinet 23.12.19 and below allows authenticated database administrators or unauthenticated
Same weakness CWE-603 – Use of Client-Side Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26045