Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.
Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.
When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.
AnalysisAI
PaperCut MF version 25.0.4 allows authenticated administrators to read arbitrary files on the server through insufficient path validation in the Shared Account Synchronization component, exposing sensitive configuration and system files via the account management interface. The vulnerability requires administrative privileges and attack complexity involves timing (AT:P), limiting real-world exploitation scope despite network accessibility.
Technical ContextAI
The Shared Account Synchronization component in PaperCut MF lacks proper input validation and path sanitization on user-supplied file paths. The affected CPE (cpe:2.3:a:papercut:papercut_ng/mf) indicates this impacts both PaperCut NG and MF product lines. The vulnerability stems from CWE-36 (Absolute Path Traversal), where administrative users can specify arbitrary filesystem paths that the synchronization process then attempts to parse as account data sources. The parsed file contents are subsequently exposed through the application's account management interface, creating an information disclosure channel. The service account's filesystem permissions determine the scope of readable files.
RemediationAI
Upgrade PaperCut MF to the patched version specified in the vendor security bulletin (https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/). Until patching is possible, implement compensating controls by restricting administrative access to the Shared Account Synchronization configuration interface through role-based access control, limiting which users can modify source paths to only those with demonstrated business need. Disable the Shared Account Synchronization feature entirely if not actively used for business operations. Additionally, audit and limit the filesystem permissions of the service account under which PaperCut runs to the minimum necessary directories, reducing the scope of files exposable through this vulnerability. Monitor account management interface access logs for unusual file path specifications or repeated failed synchronization attempts.
More in Papercut Ng Mf
View allSame weakness CWE-36 – Absolute Path Traversal
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27233
GHSA-mhwr-j844-q9pq