Description
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software.

Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website.

The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.
Published: 2026-04-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Disclosure
Action: Patch Immediately
AI Analysis

Impact

The LabOne Web Server lacks sufficient input validation in its file access functionality. An unauthenticated attacker can supply directory‑traversal sequences to read arbitrary files on the host that the operating system user running LabOne can access. In addition, the server does not properly restrict cross‑origin requests, allowing a remote attacker to trigger malicious file requests from a victim’s browser. This weakness corresponds to path traversal (CWE‑22) and insufficient cross‑origin protection (CWE‑346).

Affected Systems

All Zurich Instruments LabOne installations that include the embedded Web Server component and are running a version prior to 26.01.3.9. The specified fix applies to these releases; installations that have upgraded to 26.01.3.9 or later are considered protected.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity, while the EPSS score of less than 1 % reflects a very low probability of exploitation at this time. It is not listed in the CISA KEV catalog. Exploitation requires that the Web Server be running and requires no authentication. The likely attack vectors include an attacker on the same internal network or a malicious website that a user visits while the LabOne host’s Web Server is active, both capable of triggering the vulnerable file‑access behavior. Successful exploitation would allow an attacker to read any files readable by the LabOne OS user, potentially compromising confidential or sensitive data.

Generated by OpenCVE AI on April 28, 2026 at 14:55 UTC.

Remediation

Vendor Solution

Update to LabOne 26.01.3.9 or later. The update can be applied directly through the LabOne software, or downloaded from the Zurich Instruments Download Center at https://www.zhinst.com/support/download-center.

Vendor Workaround

Upgrading to LabOne 26.01.3.9 or later is the only complete remediation. For customers who cannot upgrade immediately, the following workarounds reduce the risk and should be applied together: Against a same-network attacker (an actor on the same network connecting directly to the LabOne Web Server): - Configure a local firewall to limit access to the LabOne Web Server (default port 8006) to localhost only, preventing access from other hosts on the network. - Operate systems running LabOne only within a dedicated, trusted laboratory network that is not connected to the general corporate network or the internet. Against a malicious-website attacker (a user visits an untrusted website while the LabOne Web Server is running, and the website triggers the vulnerable behaviour through the user's browser): - Do not browse untrusted or unknown websites on systems where the LabOne Web Server is active. Where practical, dedicate the LabOne host to instrument control only and avoid general-purpose web browsing on it. Additional risk reduction: For systems that cannot be upgraded, avoiding the storage of credentials, personal data, or sensitive research data on the LabOne host reduces the impact of a successful exploit.

OpenCVE Recommended Actions

  • Update LabOne to version 26.01.3.9 or later using the built‑in update function or by downloading the patch from Zurich Instruments.
  • If an update cannot be applied immediately, block external access to the LabOne Web Server (port 8006) by configuring the local firewall to accept connections only from localhost.
  • Run LabOne only on a dedicated, trusted laboratory network that is isolated from the general corporate network and the Internet.
  • Avoid browsing untrusted websites on any system that has the LabOne Web Server running, or dedicate the host machine solely for instrument control.
  • For systems that cannot be upgraded or isolated, refrain from storing credentials, personal data, or sensitive research data on the LabOne host to reduce the impact of a successful exploit.

Generated by OpenCVE AI on April 28, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Zurich Instruments
Zurich Instruments labone
Vendors & Products Zurich Instruments
Zurich Instruments labone

Thu, 23 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software. Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website. The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.
Title Path Traversal Vulnerability in LabOne User Interface
Weaknesses CWE-22
CWE-346
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zurich Instruments Labone
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-23T12:06:00.172Z

Reserved: 2026-04-23T09:44:28.397Z

Link: CVE-2026-6903

cve-icon Vulnrichment

Updated: 2026-04-23T12:05:56.110Z

cve-icon NVD

Status : Deferred

Published: 2026-04-23T10:16:18.680

Modified: 2026-05-19T15:44:56.380

Link: CVE-2026-6903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses