Description
A vulnerability was identified in Newgen OmniDocs up to 12.0.00. Affected by this vulnerability is an unknown functionality of the file /omnidocs/GetWebApiConfiguration. The manipulation of the argument connectionDetails leads to information disclosure. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-02
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

A flaw exists in Newgen OmniDocs v12.0.00 and earlier that allows remote actors to send a specially crafted connectionDetails parameter to the /omnidocs/GetWebApiConfiguration endpoint. The server responds with sensitive configuration information, leading to an unauthorized disclosure of data. The weakness corresponds to information‑disclosure and unauthorized access control failures, as reflected by CWE‑200 and CWE‑284.

Affected Systems

The affected product is Newgen OmniDocs, versions up to and including 12.0.00. Any installation that exposes the /omnidocs/GetWebApiConfiguration endpoint without proper access controls is within risk scope.

Risk and Exploitability

The CVSS score of 6.3 places the vulnerability in the medium severity range. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog. The attack vector is remote, presumably over HTTP or HTTPS, and is considered difficult due to high complexity. However, an exploit is publicly available, thereby reducing the barrier for attackers. Organizations running vulnerable OmniDocs deployments face a moderate risk of unauthorized information exposure.

Generated by OpenCVE AI on April 2, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether a vendor patch exists for CVE‑2026‑5413 and upgrade the OmniDocs installation to the latest release if available.
  • If no patch is available, limit access to the /omnidocs/GetWebApiConfiguration endpoint to trusted IP ranges or internal users by using firewall rules or network segmentation.
  • Consider disabling the GetWebApiConfiguration API if it is not required for business processes.
  • Monitor web traffic and logs for suspicious requests to /omnidocs/GetWebApiConfiguration and investigate anomalies promptly.
  • Apply general security hardening: keep all software up to date, enforce least‑privilege access, and regularly review vendor security advisories.

Generated by OpenCVE AI on April 2, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Newgensoft
Newgensoft omnidocs
Vendors & Products Newgensoft
Newgensoft omnidocs

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Newgen OmniDocs up to 12.0.00. Affected by this vulnerability is an unknown functionality of the file /omnidocs/GetWebApiConfiguration. The manipulation of the argument connectionDetails leads to information disclosure. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Newgen OmniDocs GetWebApiConfiguration information disclosure
Weaknesses CWE-200
CWE-284
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Newgensoft Omnidocs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T19:10:24.735Z

Reserved: 2026-04-02T08:02:10.455Z

Link: CVE-2026-5413

cve-icon Vulnrichment

Updated: 2026-04-02T19:10:20.322Z

cve-icon NVD

Status : Deferred

Published: 2026-04-02T18:16:35.563

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-5413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:13Z

Weaknesses