Description
mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user.

This issue affects mpGabinet version 23.12.19 and below.
Published: 2026-04-28
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

mpGabinet performs client‑side authentication, which means the application verifies a user’s credentials locally rather than on the backend server. An attacker who gains the ability to modify the application binary can change the authentication logic and log in as any user without providing valid credentials. This flaw enables an attacker to gain unauthorized access, potentially exposing sensitive data and allowing further lateral movement if the backend privileges are high. The weakness is identified as CWE‑603, a flaw related to authentication (client‑side).

Affected Systems

The vulnerability affects BinSoft’s mpGabinet product, specifically version 23.12.19 and earlier releases. Only installations of these versions with the default client‑side authentication enabled are susceptible; newer releases have presumably removed this client‑side validation.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.4, indicating high severity. No EPSS score is available, so the current exploit probability is unknown, but the lack of a KEV listing suggests no known large‑scale exploitation at this time. The likely attack vector involves an attacker with access to any application instance that connects to the backend server; we infer that such access could be obtained either remotely through a public interface or locally by compromising a user’s machine. Once the binary is tampered with, the attacker can authenticate as an arbitrary user, leading to unauthorized system access.

Generated by OpenCVE AI on April 28, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mpGabinet to a version newer than 23.12.19, ensuring client‑side authentication is disabled and server‑side verification is enforced.
  • Disable any remaining client‑side authentication mechanisms in configuration to force server‑side verification.
  • Restrict file permissions and enforce integrity checks on the application binary to prevent unauthorized tampering.

Generated by OpenCVE AI on April 28, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Binsoft
Binsoft mpgabinet
Vendors & Products Binsoft
Binsoft mpgabinet

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects mpGabinet version 23.12.19 and below.
Title Use of Client-Side Authentication in mpGabinet
Weaknesses CWE-603
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Binsoft Mpgabinet
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-28T14:16:14.744Z

Reserved: 2026-04-14T09:44:32.552Z

Link: CVE-2026-40551

cve-icon Vulnrichment

Updated: 2026-04-28T14:16:10.502Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T14:16:13.510

Modified: 2026-04-28T20:20:09.767

Link: CVE-2026-40551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:44Z

Weaknesses