Skip to main content

M-Files Server EUVDEUVD-2026-30767

| CVE-2026-0983 HIGH
Improper Validation of Syntactic Correctness of Input (CWE-1286)
2026-05-18 M-Files Corporation GHSA-x6cg-7p5m-7wcc
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 18, 2026 - 13:01 EUVD
Analysis Generated
May 18, 2026 - 12:30 vuln.today
CVSS changed
May 18, 2026 - 12:22 NVD
7.1 (HIGH)

DescriptionCVE.org

Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash

AnalysisAI

Denial of service in M-Files Server versions prior to 26.5.16015.0, 26.2 LTS, and 25.8 LTS SR3 allows an authenticated remote attacker to crash the MFserver process, disrupting document management services for all connected users. The flaw is reachable over the network with low privileges and no user interaction, but has no impact on confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

Technical ContextAI

M-Files Server is the backend service of M-Files Corporation's enterprise document management and information governance platform, exposing the MFserver process to authenticated client connections. The weakness is classified as CWE-1286 (Improper Validation of Syntactic Correctness of Input), indicating that the server fails to properly validate the structural correctness of input it receives from authenticated clients, leading the MFserver process to terminate unexpectedly. The affected CPE cpe:2.3:a:m-files_corporation:m-files_server covers all M-Files Server installations below the listed fixed builds across the current, 26.2 LTS, and 25.8 LTS release trains.

RemediationAI

Vendor-released patch: upgrade M-Files Server to 26.5.16015.0 or later on the current train, to 26.2 LTS, or to 25.8 LTS SR3 depending on the deployed release line, as published in the M-Files advisory at https://empower.m-files.com/security-advisories/CVE-2026-0983. Until patching is possible, restrict M-Files Server access to trusted networks and reduce the population of accounts that can authenticate to the server - for example by tightening AD group membership for M-Files logins and disabling unused or test accounts - accepting that this will block legitimate remote or contractor access and is only a partial mitigation since any retained authenticated user can still trigger the crash. Operationally, ensure the MFserver process is supervised so that an induced crash auto-restarts (via the Windows service recovery settings) and monitor for repeated unexpected service stops as a detection signal.

CVE-2023-6912 CRITICAL
9.8 Dec 20

Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authe

CVE-2024-10127 CRITICAL
9.2 Nov 20

Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLD

CVE-2023-6239 HIGH
8.8 Nov 28

Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specif

CVE-2024-6789 HIGH
8.4 Aug 27

A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 2

CVE-2023-2112 HIGH
7.8 Apr 20

Desktop component service allows lateral movement between sessions in M-Files before 23.4.12455.0. Rated high severity (

CVE-2024-4056 HIGH
7.5 Apr 26

Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allow

CVE-2023-6117 HIGH
7.5 Nov 22

A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API me

CVE-2023-3405 HIGH
7.5 Jun 27

Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonym

CVE-2023-0384 HIGH
7.5 Apr 20

User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle

CVE-2023-0383 HIGH
7.5 Apr 20

User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle

CVE-2022-4858 HIGH
7.5 Dec 30

Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive

CVE-2026-0932 MEDIUM
6.9 Apr 01

Blind server-side request forgery in M-Files Server before version 26.3 allows unauthenticated remote attackers to force

Share

EUVD-2026-30767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy