Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent-network unauthenticated path traversal (AV:A/AC:L/PR:N/UI:N) reading OS files outside the web application crosses a security authority, so S:C with C:H and no integrity or availability impact.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Golem OEE MES is vulnerable to an unauthenticated path traversal flaw. This vulnerability allows an attacker in the same local network to read arbitrary files from the server's operating system by manipulating HTTP request paths. This issue has been fixed in version 11.6.0
AnalysisAI
Arbitrary file disclosure in Golem OEE MES (Neuron Soft) before 11.6.0 lets an unauthenticated attacker on the same local network read any file readable by the server process by manipulating HTTP request paths. Reported by CERT-PL with no public exploit identified at time of analysis, the issue is fixed in 11.6.0 and carries a CVSS 4.0 base score of 8.3 driven by adjacent-network access and high confidentiality impact extending beyond the application.
Technical ContextAI
Golem OEE MES is a Manufacturing Execution System sold by Neuron Soft (cpe:2.3:a:neuron_soft:golem_oee_mes) used on shop-floor networks to track Overall Equipment Effectiveness and production data. The flaw is a classic CWE-22 Improper Limitation of a Pathname to a Restricted Directory: the HTTP request handler builds filesystem paths from URL components without canonicalizing or restricting traversal sequences such as '../', so requests can escape the intended web root and resolve to arbitrary files on the underlying operating system. Because MES servers typically run under a privileged service account and store configuration, recipes, and database credentials alongside web assets, the readable filesystem set is large and security-sensitive.
RemediationAI
Vendor-released patch: upgrade Golem OEE MES to version 11.6.0 or later, obtained from https://www.neuron.com.pl/mes-help/mes-download.html, as referenced in the CERT-PL advisory at https://cert.pl/posts/2026/06/CVE-2026-8464. If immediate patching is not feasible, restrict access to the MES HTTP service to a dedicated management VLAN or jump host using host firewall rules or network ACLs so untrusted plant-floor devices cannot reach it (trade-off: legitimate operator stations and integration endpoints must be explicitly whitelisted, which may disrupt SCADA/historian polling), place a reverse proxy in front of the server to normalize and reject URLs containing '../', encoded traversal sequences, or absolute paths (trade-off: may break legitimate paths that legitimately contain dot segments), and rotate any credentials, API keys, or database secrets stored on the MES host on the assumption they may already have been disclosed on networks where adjacent attackers existed.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36234
GHSA-v4jp-473q-hxw4