Description
Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
Published: 2026-05-18
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can trigger a crash of the MFserver process in M‑Files Server, causing a denial‑of‑service condition. The flaw is an internal crash‑handling issue identified as CWE‑1286, which forces the critical process to terminate and makes the server temporarily unusable until it is restarted.

Affected Systems

The vulnerable product is M‑Files Corporation’s M‑Files Server. Versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 are affected. All newer releases contain the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because an attacker must be authenticated, the attack surface is restricted to legitimate or compromised user accounts. Once authenticated, an attacker can repeatedly cause the MFserver process to crash, disrupting service for all users until the server is restarted. The lack of a publicly known exploit reduces immediate risk, but the potential for service disruption remains significant.

Generated by OpenCVE AI on May 18, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade M‑Files Server to version 26.5.16015.0 or later, or to 26.2 LTS or later, or to 25.8 LTS SR3 or later, to apply the official fix.
  • Restrict authentication to trusted users and enable multi‑factor authentication to reduce the chance of credential compromise.
  • Monitor server logs for repeated crash events and apply any interim configuration changes recommended by M‑Files once a later patch becomes available.

Generated by OpenCVE AI on May 18, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 12:00:00 +0000

Type Values Removed Values Added
Description Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
Title Denial of service vulnerability in M-Files Server
First Time appeared M-files Corporation
M-files Corporation m-files Server
Weaknesses CWE-1286
CPEs cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*
Vendors & Products M-files Corporation
M-files Corporation m-files Server
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

M-files Corporation M-files Server
cve-icon MITRE

Status: PUBLISHED

Assigner: M-Files Corporation

Published:

Updated: 2026-05-18T12:40:39.485Z

Reserved: 2026-01-15T10:18:50.486Z

Link: CVE-2026-0983

cve-icon Vulnrichment

Updated: 2026-05-18T12:40:34.870Z

cve-icon NVD

Status : Received

Published: 2026-05-18T12:16:16.230

Modified: 2026-05-18T12:16:16.230

Link: CVE-2026-0983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T14:30:05Z

Weaknesses