A race condition in PaperCut MF arises while processing badge‑swipe data from certain HP multifunction devices. When network conditions cause dropped packets and out‑of‑order sequence counters, the server can incorrectly process fragmented chunks. If a sequence reset notification fails to arrive, the server may reject the first chunk but erroneously accept subsequent ones after the connection reset finishes. This produces a truncated badge ID string. In most cases the truncated ID merely causes authentication failure, but in environments that run custom badge‑ID post‑processing scripts the malformed identifier can be rewired into a valid ID belonging to another user, resulting in an unauthorized session establishment. The flaw stems from inadequate input validation and improper sequence‑number handling (CWE‑20 and CWE‑367).

All deployments of PaperCut NG and PaperCut MF that use the affected integration with HP multifunction readers are potentially susceptible. No precise version range is provided, so any installation of these products should be considered at risk until a vendor patch is applied.

The CVSS score of 4.1 signals a low‑to‑medium severity, and the vulnerability is not listed in the CISA KEV catalog. The EPSS score is unavailable, but the exploit requires a specific sequence of packet loss and out‑of‑order delivery, making accidental exploitation unlikely. An attacker who can reliably manipulate traffic between the HP device and the PaperCut server could trigger the race condition; if custom badge‑ID post‑processing scripts are in place, the attacker could impersonate another user. Therefore, the risk escalates in setups that use such scripts and where an attacker can control network conditions.