Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper control of resource identifiers in Newgen OmniDocs up to version 12.0.00 allows unauthenticated remote attackers to access sensitive information via manipulation of the DocumentId parameter in the /omnidocs/WebApiRequestRedirection endpoint. The vulnerability has publicly available exploit code and a low CVSS score (5.5) reflecting confidentiality impact only, but the combination of network-based attack vector, no authentication requirement, and public exploit availability warrants immediate assessment. The vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability exists in the WebApiRequestRedirection API endpoint within Newgen OmniDocs and involves improper validation of resource identifiers (CWE-99: Improper Control of Resource Identifiers). The affected component fails to properly validate or authorize access to document resources based on the DocumentId parameter, allowing attackers to traverse or enumerate document identifiers without proper authorization checks. The root cause is inadequate access control on resource identifiers, a common issue in web APIs where user-supplied identifiers are used directly to fetch backend resources without verification that the requester has legitimate access to those specific resources. The CPE specification cpe:2.3:a:newgen:omnidocs:*:*:*:*:*:*:*:* indicates all versions of the OmniDocs product are potentially vulnerable up to the identified threshold.
RemediationAI
No vendor-released patch has been identified at time of analysis. Organizations should immediately contact Newgen Software directly to request patch availability and timeline, given the vendor's unresponsiveness to coordinated disclosure. As interim mitigation, implement network-level access controls to restrict unauthenticated access to the /omnidocs/WebApiRequestRedirection endpoint, limit exposure to internal or trusted networks only, and monitor for suspicious DocumentId parameter enumeration attempts in web server logs. Implement API authentication and authorization checks on all resource identifiers, validate and sanitize the DocumentId parameter server-side to prevent unauthorized resource access, and ensure proper role-based access controls are enforced for document retrieval. Until a patched version becomes available, maintain detailed audit logs of all API requests to this endpoint and consider application-level WAF rules to detect or block patterns consistent with resource enumeration attacks as referenced in the public exploit on Google Drive (https://drive.google.com/file/d/1lYPiqFQd5JoZpIrIh8ohD-7emzGSW0SV/view?usp=sharing).
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18488