Description
An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.



Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.



When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.
Published: 2026-05-05
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An administrator‑configurable synchronization feature in PaperCut MF allows the selection of a source path for account data. Because the application does not properly validate or sanitize the given path, an authenticated user with administrative privileges can submit arbitrary file paths that reside on the server’s local file system. This flaw permits data enumeration, and when the synchronization is executed the application parses the file contents and displays them in its account management interface, thereby exposing sensitive configuration or system files to the attacker. The weakness is a classic Path Traversal issue (CWE‑36) compounded by insufficient access controls (CWE‑552).

Affected Systems

PaperCut’s Account Management Utility, specifically PaperCut NG/MF. The flaw was identified in version 25.0.4 of PaperCut MF. The description does not reference newer or older versions.

Risk and Exploitability

The CVSS score of 4.6 indicates low adversary effort, yet the risk intensifies if the application runs with elevated permissions. Exploitation requires an authenticated administrator. No EPSS score is provided and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited exploitation activity to date. Nonetheless, because any privileged administrator can invoke the flaw, organisations should view it as a potential confidentiality risk if the service account has broad read rights to the underlying file system.

Generated by OpenCVE AI on May 5, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PaperCut MF patch or upgrade to a version where the path traversal bug is fixed.
  • If a patch is not immediately available, restrict the ability of administrators to modify the synchronization source path by locking configuration or using a role that lacks this permission.
  • Disable or isolate the synchronization feature if it is not required in the environment.
  • Implement logging or monitoring for path resolution failures or unauthorized file access attempts during synchronization.

Generated by OpenCVE AI on May 5, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Papercut papercut Ng
CPEs cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
Vendors & Products Papercut papercut Ng
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Papercut
Papercut papercut Mf
Vendors & Products Papercut
Papercut papercut Mf

Tue, 05 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files. When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.
Title PaperCut NG/MF: Path Traversal in Shared Account Synchronization
Weaknesses CWE-36
CWE-552
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Papercut Papercut Mf Papercut Ng
cve-icon MITRE

Status: PUBLISHED

Assigner: PaperCut

Published:

Updated: 2026-05-05T12:41:36.541Z

Reserved: 2026-04-16T03:15:03.794Z

Link: CVE-2026-6418

cve-icon Vulnrichment

Updated: 2026-05-05T12:41:33.146Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T07:16:00.970

Modified: 2026-05-12T15:53:35.860

Link: CVE-2026-6418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:30:05Z

Weaknesses