Description
KTM System e-BOK enforces a maximum password length of six numeric digits and does not permit the use of any alphabetic, special, or extended characters.

This issue was fixed in the patch published in June 2026.
Published: 2026-06-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by KTM System e‑BOK enforcing a maximum password length of six numeric digits and disallowing any alphabetic, special, or extended characters. This restriction on password complexity is explicitly stated in the CVE description, but the statement that it makes enumeration or brute‑force trivial and leads to account takeover is inferred from the weakness stated. The CWE‑521 classification confirms the issue involves weak password protection.

Affected Systems

The affected system is KTM System e‑BOK. All releases prior to the patch published in June 2026 lack the fix. Users running any version before that date are susceptible to the weak password enforcement failure.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The description suggests weak password enforcement; however, the specific likelihood that attackers will exploit repetitive login attempts against the public authentication endpoint is inferred from the trivial constraints. Attackers can quickly gain unauthorized access, compromising user accounts and potentially sensitive data.

Generated by OpenCVE AI on June 30, 2026 at 16:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the June 2026 patch to enforce stronger password policies
  • Configure the application to limit failed login attempts and block IPs that exceed a threshold
  • Implement a password policy that requires a minimum length and a mix of numeric, alphabetic, and special characters

Generated by OpenCVE AI on June 30, 2026 at 16:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description KTM System e-BOK enforces a maximum password length of six numeric digits and does not permit the use of any alphabetic, special, or extended characters. This issue was fixed in the patch published in June 2026.
Title Weak Password Requirements in KTM System e-BOK
Weaknesses CWE-521
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-30T14:41:23.417Z

Reserved: 2026-04-01T13:05:10.153Z

Link: CVE-2026-35097

cve-icon Vulnrichment

Updated: 2026-06-30T14:41:18.752Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses
  • CWE-521

    Weak Password Requirements