Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system. Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account.
This issue affects mpGabinet version 23.12.19 and below.
AnalysisAI
Remote command execution in mpGabinet 23.12.19 and below allows authenticated database administrators or unauthenticated attackers (via chained exploitation of CVE-2026-40550 and CVE-2026-40551) to achieve system command execution by manipulating attachment storage paths in the database to reference attacker-controlled resources that execute when users open the files. The vulnerability requires direct database access and user interaction to trigger execution, but becomes unauthenticated when chained with companion CVE vulnerabilities that grant database and application access.
Technical ContextAI
mpGabinet is a document management application developed by BinSoft that processes user-uploaded file attachments. The vulnerability exploits insufficient validation of attachment storage paths stored in the backend database. When the application retrieves and processes an attachment for user download or preview, it does not properly validate whether the referenced storage path points to legitimate application storage or to attacker-controlled network resources (e.g., SMB shares, HTTP URLs, or UNC paths). The underlying issue is improper resource validation (CWE-669) combined with unsafe file handling that executes retrieved resources without integrity or origin verification. The vulnerability is particularly severe because mpGabinet's database layer lacks proper access controls, as evidenced by companion CVEs 2026-40550 and 2026-40551 that enable unauthenticated database access and account takeover.
RemediationAI
Upgrade mpGabinet immediately to version 23.12.20 or later, which is expected to include fixes for CVE-2026-40552, CVE-2026-40550, and CVE-2026-40551. Until patching is complete, implement the following compensating controls: (1) Restrict direct database access to only authorized administrators using firewall rules and database authentication (trade-off: limits legitimate admin access; use jump hosts or VPNs for remote access); (2) Disable or restrict the file attachment feature in mpGabinet if not critical to operations (trade-off: loss of attachment functionality); (3) Block outbound network connections from the mpGabinet application server to external SMB, HTTP, and UNC paths using host-based firewall or network segmentation (trade-off: may break legitimate network file sharing if intentionally configured); (4) Implement strict file type validation and sandboxing for attachment preview operations (trade-off: performance impact and potential loss of functionality for legitimate file types). Consult CERT-PL advisory at https://cert.pl/posts/2026/04/CVE-2026-40550/ for coordinated disclosure timeline and additional vendor guidance.
Client-side authentication bypass in mpGabinet 23.12.19 and earlier allows local authenticated attackers to impersonate
mpGabinet 23.12.19 and earlier suffers from privilege escalation due to excessive database privileges assigned to the ap
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26046