Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software.
Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website.
The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.
AnalysisAI
Path traversal in Zurich Instruments LabOne Web Server allows unauthenticated remote attackers to read arbitrary files accessible to the LabOne process. The vulnerability combines insufficient input validation (CWE-22) with missing CORS restrictions, enabling direct exploitation or browser-based attacks via malicious websites. EPSS data not available, but the network-accessible unauthenticated attack vector (AV:N/PR:N/UI:N) combined with vendor-confirmed patch indicates active vendor response to a readily exploitable information disclosure flaw. Exploitation limited to installations running the Web Server component; API-only deployments are unaffected.
Technical ContextAI
LabOne is Zurich Instruments' software suite for controlling quantum computing and test measurement instrumentation. The vulnerability affects the LabOne Web Server component (CPE: cpe:2.3:a:zurich_instruments:labone), which provides the web-based user interface. The flaw is a classic path traversal (CWE-22) vulnerability where user-supplied file paths are not properly sanitized before file system operations. This allows directory traversal sequences (e.g., '../../../') to escape intended boundaries and access files anywhere the LabOne process has read permissions. The attack surface is compounded by missing Cross-Origin Resource Sharing (CORS) protections, enabling cross-site request forgery (CSRF) style attacks where an attacker-controlled webpage can trigger file reads through the victim's authenticated browser session. The CVSS 4.0 vector indicates network-accessible, low-complexity exploitation requiring no privileges or user interaction for direct attacks.
RemediationAI
Apply the vendor-released patch immediately by downloading the updated LabOne version from https://www.zhinst.com/support/download-center/. Consult the security advisory at https://www.zhinst.com/support/security/2026/zi-sa-2026-001/ for exact patched version numbers and installation instructions. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the LabOne Web Server component and use only API interfaces-this completely mitigates the vulnerability but eliminates web UI functionality, requiring users to switch to programmatic control or command-line interfaces; (2) Restrict network access to the Web Server port (typically TCP/8004) using host-based firewall rules to allow only trusted IP addresses-reduces attack surface but does not protect against malicious insiders or compromised trusted systems within the allowed range; (3) Run the LabOne process under a dedicated low-privilege operating system account with minimal file system read permissions-limits the scope of accessible files but requires reconfiguration and may break functionality if LabOne legitimately needs broader access for instrument operation. Network segmentation placing LabOne systems on isolated VLANs inaccessible from general corporate or internet networks provides defense-in-depth but does not prevent exploitation by attackers who gain initial access to the lab network.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25215