Description
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
Published: 2026-05-19
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP‑XM320, up to version 7.7. The server validates session cookies by performing a filesystem existence check on a path derived directly from a user‑controlled cookie value. Because the cookie input is not properly sanitized, an attacker can craft a cookie containing directory traversal characters. The check will then resolve to an arbitrary location on the server’s filesystem, causing the existence test to succeed regardless of a legitimate session. This flaw allows an unauthenticated attacker to bypass authentication and gain access to the HTTP interface that may expose sensitive management functions.

Affected Systems

Panabit PAP‑XM320 embedded HTTP server running firmware version 7.7 or earlier. No other vendors or products are affected.

Risk and Exploitability

The vulnerability permits remote attackers to bypass authentication without requiring any additional privileges or credentials. Although EPSS is not available and the issue is not listed in the CISA KEV catalog, the nature of the flaw—direct authorization bypass—suggests a high likelihood of exploitation in environments where the HTTP interface is exposed to untrusted networks. No CVSS score is provided in the advisory, but the impact warrants immediate attention.

Generated by OpenCVE AI on May 19, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update for the PAP‑XM320 (at least v7.8) to remove the flaw.
  • If an update cannot be performed immediately, disable or restrict external access to the embedded HTTP server by using network segmentation or firewall rules to limit connectivity to trusted hosts only.
  • Implement a temporary mitigation by disabling or manually replacing the session cookie validation mechanism—block requests that contain directory traversal characters or reroute session handling through a secure, sanitized layer—until a vendor patch is available.

Generated by OpenCVE AI on May 19, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via Directory Traversal in Panabit PAP‑XM320 Embedded HTTP Server
Weaknesses CWE-22
CWE-285

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-19T17:37:49.059Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36829

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T17:16:22.210

Modified: 2026-05-19T17:16:22.210

Link: CVE-2026-36829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T17:30:10Z

Weaknesses