Skip to main content

PaperCut MF CVE-2026-6418

| EUVDEUVD-2026-27233 MEDIUM
Absolute Path Traversal (CWE-36)
2026-05-05 PaperCut GHSA-mhwr-j844-q9pq
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 05, 2026 - 08:01 EUVD
Analysis Generated
May 05, 2026 - 07:30 vuln.today
CVSS changed
May 05, 2026 - 07:22 NVD
4.6 (MEDIUM)

DescriptionCVE.org

An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.

Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.

When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.

AnalysisAI

PaperCut MF version 25.0.4 allows authenticated administrators to read arbitrary files on the server through insufficient path validation in the Shared Account Synchronization component, exposing sensitive configuration and system files via the account management interface. The vulnerability requires administrative privileges and attack complexity involves timing (AT:P), limiting real-world exploitation scope despite network accessibility.

Technical ContextAI

The Shared Account Synchronization component in PaperCut MF lacks proper input validation and path sanitization on user-supplied file paths. The affected CPE (cpe:2.3:a:papercut:papercut_ng/mf) indicates this impacts both PaperCut NG and MF product lines. The vulnerability stems from CWE-36 (Absolute Path Traversal), where administrative users can specify arbitrary filesystem paths that the synchronization process then attempts to parse as account data sources. The parsed file contents are subsequently exposed through the application's account management interface, creating an information disclosure channel. The service account's filesystem permissions determine the scope of readable files.

RemediationAI

Upgrade PaperCut MF to the patched version specified in the vendor security bulletin (https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/). Until patching is possible, implement compensating controls by restricting administrative access to the Shared Account Synchronization configuration interface through role-based access control, limiting which users can modify source paths to only those with demonstrated business need. Disable the Shared Account Synchronization feature entirely if not actively used for business operations. Additionally, audit and limit the filesystem permissions of the service account under which PaperCut runs to the minimum necessary directories, reducing the scope of files exposable through this vulnerability. Monitor account management interface access logs for unusual file path specifications or repeated failed synchronization attempts.

Share

CVE-2026-6418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy