CVE-2026-34026 (GCVE-0-2026-34026)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:04 – Updated: 2026-06-15 12:29
VLAI
Title
Path traversal in Wertheim SafeController Software allows authenticated users to download arbitrary files
Summary
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative path traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wertheim-safes.com/safe-deposit-box-management/ | product |
| https://r.sec-consult.com/wertheim | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wertheim GmbH | Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) |
Affected:
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:29:09.035884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:29:20.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)",
"vendor": "Wertheim GmbH",
"versions": [
{
"status": "affected",
"version": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Hager, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Gorazd Jank, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Philipp Espernberger, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries."
}
],
"value": "Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative path traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T10:04:13.043Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"product"
],
"url": "https://wertheim-safes.com/safe-deposit-box-management/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/wertheim"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"value": "The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path traversal in Wertheim SafeController Software allows authenticated users to download arbitrary files",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict access to the SafeController web application to authorized users and trusted network locations only. Review access to document download endpoints and monitor requests containing path traversal sequences, absolute paths, encoded traversal patterns, or unexpected filesystem paths. Ensure that sensitive log files and application binaries are not readable by the web application account unless strictly required. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"value": "Restrict access to the SafeController web application to authorized users and trusted network locations only. Review access to document download endpoints and monitor requests containing path traversal sequences, absolute paths, encoded traversal patterns, or unexpected filesystem paths. Ensure that sensitive log files and application binaries are not readable by the web application account unless strictly required. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2026-34026",
"datePublished": "2026-06-15T10:04:13.043Z",
"dateReserved": "2026-03-25T10:46:45.516Z",
"dateUpdated": "2026-06-15T12:29:20.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-34026",
"date": "2026-06-16",
"epss": "0.00394",
"percentile": "0.31041"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34026\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2026-06-15T12:16:25.040\",\"lastModified\":\"2026-06-15T21:05:18.653\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]}],\"references\":[{\"url\":\"https://r.sec-consult.com/wertheim\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"https://wertheim-safes.com/safe-deposit-box-management/\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34026\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-15T12:29:09.035884Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-15T12:29:15.847Z\"}}], \"cna\": {\"title\": \"Path traversal in Wertheim SafeController Software allows authenticated users to download arbitrary files\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Christian Hager, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Gorazd Jank, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Philipp Espernberger, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-139\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-139 Relative Path Traversal\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Wertheim GmbH\", \"product\": \"Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)\", \"versions\": [{\"status\": \"affected\", \"version\": \"Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014\"}], \"defaultStatus\": \"unknown\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update.\", \"base64\": false}]}], \"references\": [{\"url\": \"https://wertheim-safes.com/safe-deposit-box-management/\", \"tags\": [\"product\"]}, {\"url\": \"https://r.sec-consult.com/wertheim\", \"tags\": [\"third-party-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Restrict access to the SafeController web application to authorized users and trusted network locations only. Review access to document download endpoints and monitor requests containing path traversal sequences, absolute paths, encoded traversal patterns, or unexpected filesystem paths. Ensure that sensitive log files and application binaries are not readable by the web application account unless strictly required. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Restrict access to the SafeController web application to authorized users and trusted network locations only. Review access to document download endpoints and monitor requests containing path traversal sequences, absolute paths, encoded traversal patterns, or unexpected filesystem paths. Ensure that sensitive log files and application binaries are not readable by the web application account unless strictly required. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation, allowing an authenticated attacker with any role or permission level to traverse out of the intended document directory and download arbitrary files accessible to the application. This includes, but is not limited to, application log files containing sensitive information and application binaries.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23 Relative path traversal\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-06-15T10:04:13.043Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34026\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-15T12:29:20.230Z\", \"dateReserved\": \"2026-03-25T10:46:45.516Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2026-06-15T10:04:13.043Z\", \"assignerShortName\": \"SEC-VLab\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…