Description
Hospital Queuing Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs because Advantech Hospital Queuing Management does not enforce authentication on a specific API documentation endpoint. An attacker who can reach this URL from outside the network can retrieve the API documentation, which exposes internal services, endpoint names, and possible parameters. This data can be leveraged by an attacker to craft additional attacks, such as crafting API calls that exploit other weaknesses, or to map the system architecture for subsequent exploitation attempts. The weakness is typified by CWE‑306 (Missing Authentication).

Affected Systems

Advent​e​ch Hospital Queuing Management is affected in any release prior to ISO version 1.2.13 or where the QueueHttp.dll component is earlier than 1.2.12.7. These older builds expose the undocumented API documentation endpoint to unauthenticated users.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity impact and the vulnerability can be triggered by a remote attacker with no authentication. The EPSS score is not provided, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, which implies no confirmed real‑world exploitation yet. However, the attack is straightforward: a simple HTTP request to the documented URL from an external host. Consequently, the risk is significant if the server is exposed to the internet or an untrusted network segment. Organizations should treat this as a high‑risk flaw that can ease the planning of further attacks if unpatched.

Generated by OpenCVE AI on June 30, 2026 at 12:23 UTC.

Remediation

Vendor Solution

Update HQM ISO to version 1.2.13 or later, or update QueueHttp.dll to version 1.2.12.7 or later.

OpenCVE Recommended Actions

  • Update Advantech Hospital Queuing Management to ISO 1.2.13 or later, or ensure that QueueHttp.dll is upgraded to version 1.2.12.7 or newer. This patch restores proper authentication on the API documentation endpoint.
  • If an immediate update is not feasible, restrict network access to the API documentation URL using firewall or access‑control lists so that only trusted IP ranges can reach it, mitigating the unauthenticated access risk tied to CWE‑306.
  • Continuously monitor for new advisories or vulnerability reports from Advantech or security communities, and verify that the deployed configuration no longer serves the API documentation to unauthenticated users.

Generated by OpenCVE AI on June 30, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description Hospital Queuing Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation.
Title Advantech|Hospital Quering Management - Missing Authentication
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-06-30T12:25:08.646Z

Reserved: 2026-06-30T02:02:24.547Z

Link: CVE-2026-14162

cve-icon Vulnrichment

Updated: 2026-06-30T12:25:05.341Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T12:30:13Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function