Cyber Resilience

CVE-2026-6903

High

Published: 23 April 2026

Published
23 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6903 is a high-severity Path Traversal (CWE-22) vulnerability in Zhinst (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6903 affects the LabOne Web Server, which supports the LabOne User Interface from Zurich Instruments. The vulnerability stems from insufficient input validation in the file access functionality, associated with CWE-22 (path traversal) and CWE-346 (origin validation error). This allows an unauthenticated attacker to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software. Additionally, the web server fails to adequately restrict cross-origin requests. The issue is only exploitable when the LabOne Web Server is actively running; installations using only the LabOne APIs without the web server are not exposed. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

An unauthenticated remote attacker can directly exploit the file access flaw over the network to disclose sensitive files without requiring privileges or user interaction. Separately, the lack of cross-origin restrictions enables a remote attacker to trigger the file read from a victim's browser by luring the victim to a malicious website, potentially exfiltrating files accessible to the LabOne process.

Zurich Instruments has published security advisory ZI-SA-2026-001 detailing the issue, available at https://www.zhinst.com/support/security/2026/zi-sa-2026-001/. Mitigation involves applying patches from the download center at https://www.zhinst.com/support/download-center/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system…

more

user running the LabOne software. Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website. The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing web server enables remote arbitrary file read (T1190 for exploitation of the app; T1005 for direct local file data access).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2026-23939Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2025-69411Shared CWE-22

Affected Assets

Zhinst
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses the insufficient input validation causing path traversal and origin validation errors in the LabOne Web Server's file access functionality.

prevent

SI-2 requires timely flaw remediation, such as applying Zurich Instruments' patches, to comprehensively fix the input validation and cross-origin restriction vulnerabilities.

prevent

AC-6 mitigates damage from arbitrary file reads by enforcing least privilege on the operating system user running the LabOne Web Server, limiting accessible files.

References