Skip to main content

mpGabinet CVE-2026-40552

| EUVDEUVD-2026-26046 MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-04-28 CERT-PL
4.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 28, 2026 - 14:30 vuln.today
CVSS changed
Apr 28, 2026 - 14:22 NVD
4.7 (MEDIUM)
EUVD ID Assigned
Apr 28, 2026 - 14:00 euvd
EUVD-2026-26046
Analysis Generated
Apr 28, 2026 - 14:00 vuln.today
CVE Published
Apr 28, 2026 - 13:13 nvd
MEDIUM 4.7

DescriptionCVE.org

mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system. Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account.

This issue affects mpGabinet version 23.12.19 and below.

AnalysisAI

Remote command execution in mpGabinet 23.12.19 and below allows authenticated database administrators or unauthenticated attackers (via chained exploitation of CVE-2026-40550 and CVE-2026-40551) to achieve system command execution by manipulating attachment storage paths in the database to reference attacker-controlled resources that execute when users open the files. The vulnerability requires direct database access and user interaction to trigger execution, but becomes unauthenticated when chained with companion CVE vulnerabilities that grant database and application access.

Technical ContextAI

mpGabinet is a document management application developed by BinSoft that processes user-uploaded file attachments. The vulnerability exploits insufficient validation of attachment storage paths stored in the backend database. When the application retrieves and processes an attachment for user download or preview, it does not properly validate whether the referenced storage path points to legitimate application storage or to attacker-controlled network resources (e.g., SMB shares, HTTP URLs, or UNC paths). The underlying issue is improper resource validation (CWE-669) combined with unsafe file handling that executes retrieved resources without integrity or origin verification. The vulnerability is particularly severe because mpGabinet's database layer lacks proper access controls, as evidenced by companion CVEs 2026-40550 and 2026-40551 that enable unauthenticated database access and account takeover.

RemediationAI

Upgrade mpGabinet immediately to version 23.12.20 or later, which is expected to include fixes for CVE-2026-40552, CVE-2026-40550, and CVE-2026-40551. Until patching is complete, implement the following compensating controls: (1) Restrict direct database access to only authorized administrators using firewall rules and database authentication (trade-off: limits legitimate admin access; use jump hosts or VPNs for remote access); (2) Disable or restrict the file attachment feature in mpGabinet if not critical to operations (trade-off: loss of attachment functionality); (3) Block outbound network connections from the mpGabinet application server to external SMB, HTTP, and UNC paths using host-based firewall or network segmentation (trade-off: may break legitimate network file sharing if intentionally configured); (4) Implement strict file type validation and sandboxing for attachment preview operations (trade-off: performance impact and potential loss of functionality for legitimate file types). Consult CERT-PL advisory at https://cert.pl/posts/2026/04/CVE-2026-40550/ for coordinated disclosure timeline and additional vendor guidance.

Share

CVE-2026-40552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy