Description
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches.
Published: 2026-06-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by missing authorization checks on several web application endpoints in the Wertheim SafeController Software. An attacker who has only minimal authenticated privileges can reach endpoints that are invisible in the user interface and perform actions such as switching branches, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches. This allows the attacker to read, modify, and potentially tamper with data that should be protected, effectively bypassing internal access controls within the system.

Affected Systems

The affected product is the Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) from Wertheim GmbH. The specific affected build identified in the advisory is AssemblyVersion 6.15.8328.28014, and prior releases of the same product may also be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, and the vulnerability can be exploited by any authenticated user with low privileges through the web interface. Although the EPSS score is not available, the lack of a KEV listing does not diminish the risk of exploitation. The likely attack vector is through the web application, requiring only legitimate credentials and minimal privileges; once accessed, the attacker can perform unauthorized actions that compromise data confidentiality and integrity.

Generated by OpenCVE AI on June 15, 2026 at 13:24 UTC.

Remediation

Vendor Solution

The vendor provides a patch which should be installed immediately. Specific fixed version information was not provided. Affected parties should contact the vendor to request the update.

Vendor Workaround

Restrict access to the SafeController web application to authorized users and trusted network locations only. Review user accounts, roles, and branch assignments. Monitor requests to administrative and document-management endpoints for access by users that should not have the corresponding privileges. These measures should only be treated as interim risk reduction; the vendor-provided patch should be installed.

OpenCVE Recommended Actions

  • Apply the vendor-provided patch immediately
  • Restrict access to the SafeController web application to authorized users and trusted network locations only
  • Review user accounts, roles, and branch assignments for proper privilege separation
  • Monitor requests to administrative and document-management endpoints for access by users lacking appropriate privileges

Generated by OpenCVE AI on June 15, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches.
Title Missing authorization checks in Wertheim SafeController Software allow low-privileged users to access restricted functions
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-06-15T12:27:51.164Z

Reserved: 2026-03-25T10:46:45.515Z

Link: CVE-2026-34024

cve-icon Vulnrichment

Updated: 2026-06-15T12:27:46.523Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T12:16:24.713

Modified: 2026-06-15T21:05:18.653

Link: CVE-2026-34024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T13:30:05Z

Weaknesses