CVE-2026-0663
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-02-23

Assigner: M-Files Corporation

Description
Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0663
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
m-files m-files_server to 26.1.15632.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1286 The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0663 is a denial-of-service (DoS) vulnerability in M-Files Server versions before 26.1.15632.3. It allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a specific vulnerable API endpoint. The vulnerability is due to improper validation of input syntax and involves input data manipulation. [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker with vault administrator privileges to crash the M-Files Server process, causing a denial-of-service condition. This means the server becomes unavailable, potentially disrupting access to data and services dependent on the M-Files Server. [1]

Detection Guidance

Detection of this vulnerability involves verifying if your M-Files Server version is prior to 26.1.15632.3 and monitoring for crashes of the M-Files Server process triggered by calls to the vulnerable API endpoint. Since exploitation requires authenticated vault administrator privileges and involves invoking a specific API, you can check server logs for unusual API calls or crashes. Specific commands are not provided in the available resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the M-Files Server to version 26.1.15632.3 or later, which contains the fix for this vulnerability. Additionally, restrict vault administrator privileges to trusted users only and monitor API usage to detect any suspicious activity. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart