CVE-2026-6903
Published: 23 April 2026
Summary
CVE-2026-6903 is a high-severity Path Traversal (CWE-22) vulnerability in Zhinst (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6903 affects the LabOne Web Server, which supports the LabOne User Interface from Zurich Instruments. The vulnerability stems from insufficient input validation in the file access functionality, associated with CWE-22 (path traversal) and CWE-346 (origin validation error). This allows an unauthenticated attacker to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software. Additionally, the web server fails to adequately restrict cross-origin requests. The issue is only exploitable when the LabOne Web Server is actively running; installations using only the LabOne APIs without the web server are not exposed. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An unauthenticated remote attacker can directly exploit the file access flaw over the network to disclose sensitive files without requiring privileges or user interaction. Separately, the lack of cross-origin restrictions enables a remote attacker to trigger the file read from a victim's browser by luring the victim to a malicious website, potentially exfiltrating files accessible to the LabOne process.
Zurich Instruments has published security advisory ZI-SA-2026-001 detailing the issue, available at https://www.zhinst.com/support/security/2026/zi-sa-2026-001/. Mitigation involves applying patches from the download center at https://www.zhinst.com/support/download-center/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25215
Vulnerability details
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system…
more
user running the LabOne software. Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website. The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web server enables remote arbitrary file read (T1190 for exploitation of the app; T1005 for direct local file data access).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the insufficient input validation causing path traversal and origin validation errors in the LabOne Web Server's file access functionality.
SI-2 requires timely flaw remediation, such as applying Zurich Instruments' patches, to comprehensively fix the input validation and cross-origin restriction vulnerabilities.
AC-6 mitigates damage from arbitrary file reads by enforcing least privilege on the operating system user running the LabOne Web Server, limiting accessible files.