Skip to main content

Wertheim SafeController EUVDEUVD-2026-36709

| CVE-2026-34026 HIGH
Relative Path Traversal (CWE-23)
2026-06-15 SEC-VLab GHSA-qcqj-3f78-3wfq
7.1
CVSS 4.0 · Vendor: SEC-VLab
Share

Severity by source

Vendor (SEC-VLab) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable HTTP endpoint with low-complexity traversal payload, requires any authenticated account so PR:L, no UI, and impact is arbitrary file read so C:H with I:N and A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (SEC-VLab).

CVSS VectorVendor: SEC-VLab

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 12:21 vuln.today

DescriptionCVE.org

Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries.

AnalysisAI

Authenticated path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) - software used to manage vault rooms and safe deposit locker systems - allows any logged-in user to read arbitrary files from the host via the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. Successful exploitation exposes application log files (which may contain credentials or session data) and application binaries, enabling secondary attacks against the safe deposit locker infrastructure. No public exploit identified at time of analysis, and the issue was disclosed by SEC Consult Vulnerability Lab (SEC-VLab).

Technical ContextAI

The vulnerable component is the /safe/selfservice/openselfservicedocument endpoint of Wertheim SafeController, a .NET-based management application (per the AssemblyVersion identifier) deployed in physical safe deposit / vault-room environments. The CWE-23 (Relative Path Traversal) classification indicates the application takes the user-supplied documentName parameter and concatenates it into a filesystem path without normalizing or restricting traversal sequences such as '..\' or '../'. As a result, the file-retrieval routine, which is intended to serve documents from a designated self-service directory, can be coerced into reading any file that the application's service account is permitted to open on the underlying host.

RemediationAI

No vendor-released patch identified at time of analysis - the SEC Consult advisory at https://r.sec-consult.com/wertheim should be consulted for any updated fix version published after disclosure, and operators of Wertheim SafeController 6.15.8328.28014 should contact Wertheim GmbH (https://wertheim-safes.com/safe-deposit-box-management/) directly to obtain a hardened build. Until a patch is available, restrict network reachability of the /safe/selfservice/openselfservicedocument endpoint to a management VLAN or jump host (side effect: blocks legitimate self-service document retrieval for remote users), enforce a web application firewall rule that rejects documentName values containing '..', '%2e%2e', backslashes, or absolute path indicators (side effect: may break filenames legitimately containing those byte sequences), tighten the service account so it cannot read log directories or binary install paths outside the document store, and rotate any credentials, API keys, or session secrets that may have been written to the now-readable application logs.

Share

EUVD-2026-36709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy