Description
Golem OEE MES is vulnerable to an unauthenticated path traversal flaw. This vulnerability allows an attacker in the same local network to read arbitrary files from the server's operating system by manipulating HTTP request paths.
This issue has been fixed in version 11.6.0
Published: 2026-06-11
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated path traversal flaw that permits a local attacker to read any file on the server’s operating system by manipulating HTTP request paths. This flaw falls under CWE‑22 and enables confidentiality compromise by exposing configuration files, credentials, or other sensitive data.

Affected Systems

The issue affects the Neuron Soft Golem OEE MES application. All releases prior to version 11.6.0 are vulnerable; the fix was introduced in 11.6.0. Deployments running older versions without the update are exposed.

Risk and Exploitability

The CVSS score of 8.3 denotes high severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the flaw can be exploited by any host on the same local network that can send HTTP requests to the MES service. No authentication or privilege escalation is required, making the attack straightforward for an adversary with local network access.

Generated by OpenCVE AI on June 11, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Neuron Soft Golem OEE MES to version 11.6.0 or later, which resolves the path traversal flaw.
  • Limit access to the MES HTTP endpoints so that only trusted hosts or VPN‑connected clients can reach them, thereby reducing the local attack surface.
  • Implement URL filtering or input validation at a web‑application firewall to block traversal sequences before they reach the application, as a temporary containment measure if patching cannot occur immediately.

Generated by OpenCVE AI on June 11, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Golem OEE MES is vulnerable to an unauthenticated path traversal flaw. This vulnerability allows an attacker in the same local network to read arbitrary files from the server's operating system by manipulating HTTP request paths. This issue has been fixed in version 11.6.0
Title Path traversal in Neuron Soft Golem OEE MES
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-11T12:13:26.247Z

Reserved: 2026-05-13T11:32:03.878Z

Link: CVE-2026-8464

cve-icon Vulnrichment

Updated: 2026-06-11T12:13:11.475Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:32.717

Modified: 2026-06-11T12:16:32.717

Link: CVE-2026-8464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')