Description
Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
Published: 2026-01-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability permits an authenticated attacker who holds vault administrator privileges to crash the M‑Files Server process by calling a specific API endpoint. This action simply disrupts service availability with no data loss or code execution. The flaw is identified by CWE‑1286, indicating improper resource management leading to instability.

Affected Systems

M‑Files Server versions prior to 26.1.15632.3 are affected. These versions expose an API that can be invoked to trigger the crash.

Risk and Exploitability

The CVSS score of 6.9 places the vulnerability in the medium‑severity range, while the EPSS score of less than 1% indicates a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog. The attack requires authenticated access with vault administrator rights, which typically implies an insider or compromised account. Therefore, the threat is limited to environments where such privileged credentials exist, reducing the likelihood of widespread exploitation. The attack vector is inferred to be internal, requiring legitimate authentication.

Generated by OpenCVE AI on April 18, 2026 at 04:17 UTC.

Remediation

Vendor Solution

Update M-Files Server to unaffected version.

OpenCVE Recommended Actions

  • Upgrade M‑Files Server to version 26.1.15632.3 or newer to eliminate the vulnerable endpoint.
  • If an upgrade cannot be performed immediately, block or restrict the vulnerable API endpoint behind firewall rules or via configuration to prevent use.
  • Enforce strict access controls on vault administrator accounts, use least privilege and multi‑factor authentication to reduce the chance of an attacker gaining the required credentials.

Generated by OpenCVE AI on April 18, 2026 at 04:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
References

Mon, 02 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared M-files
M-files m-files Server
CPEs cpe:2.3:a:m-files:m-files_server:*:*:*:*:*:*:*:*
Vendors & Products M-files
M-files m-files Server
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared M-files Corporation
M-files Corporation m-files Server
Vendors & Products M-files Corporation
M-files Corporation m-files Server

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
Description Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
Title Denial of Service condition in M-Files Server
Weaknesses CWE-1286
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

M-files M-files Server
M-files Corporation M-files Server
cve-icon MITRE

Status: PUBLISHED

Assigner: M-Files Corporation

Published:

Updated: 2026-02-23T10:39:26.170Z

Reserved: 2026-01-07T09:47:06.520Z

Link: CVE-2026-0663

cve-icon Vulnrichment

Updated: 2026-01-21T14:27:08.214Z

cve-icon NVD

Status : Modified

Published: 2026-01-21T11:15:50.880

Modified: 2026-02-23T11:16:21.553

Link: CVE-2026-0663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses