CVE-2026-40552
Received Received - Intake
Remote Command Execution in mpGabinet via Attachment Path Manipulation

Publication date: 2026-04-28

Last updated on: 2026-04-28

Assigner: CERT.PL

Description
mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system. Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account. This issue affects mpGabinet version 23.12.19 and below.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40552
EUVD
EUVD-2026-26046
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mpgabinet mpgabinet to 23.12.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can execute system commands by uploading an attachment and then modifying its storage path in the database to point to an attacker-controlled remote network resource. Alternatively, an attacker can use a previously uploaded file and change its reference. When the application processes the attachment and a user tries to open it, the referenced resource is executed by the system.

Moreover, this vulnerability can be exploited by any unauthenticated attacker by chaining it with two other vulnerabilities (CVE-2026-40550 and CVE-2026-40551) that allow obtaining database access and logging onto any account.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary system commands on the server hosting the mpGabinet application. This can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and potential further exploitation of the affected environment.

Since an unauthenticated attacker can chain this vulnerability with others to gain database access and log into any account, the impact includes loss of confidentiality, integrity, and availability of the system and its data.

Compliance Impact

The vulnerability in mpGabinet allows remote command execution by an authorized user with database access, and can be exploited by unauthenticated attackers through chaining with other vulnerabilities to gain database access and account login.

Such unauthorized access and execution could lead to unauthorized data exposure, modification, or system compromise, which may violate data protection requirements under standards like GDPR and HIPAA.

Therefore, this vulnerability potentially impacts compliance by increasing the risk of data breaches and unauthorized access to sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart