CVE-2026-36829
Deferred Deferred - Pending Action
Authentication Bypass via Directory Traversal in Panabit PAP-XM320

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: MITRE

Description
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-36829
EUVD
EUVD-2026-30953
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
panabit pap-xm320 to 7.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authentication bypass in the embedded HTTP server of Panabit PAP-XM320 devices up to version 7.7. The server checks session cookies by verifying the existence of files on the filesystem using a value from a user-controlled cookie. Because this value is not properly sanitized, an attacker can perform directory traversal attacks, allowing them to bypass authentication mechanisms.

Compliance Impact

The vulnerability allows authentication bypass via directory traversal in the embedded HTTP server of Panabit PAP-XM320, potentially exposing sensitive data and compromising system integrity.

Such a security flaw could lead to unauthorized access to protected information, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal and sensitive data.

However, the provided information does not explicitly mention the impact on compliance with these standards.

Detection Guidance

This vulnerability involves an authentication bypass in the embedded HTTP server of Panabit PAP-XM320 devices up to version 7.7, caused by improper sanitization of user-controlled session cookies allowing directory traversal.

To detect this vulnerability on your network or system, you can attempt to access the embedded HTTP server and test for authentication bypass by manipulating session cookies to include directory traversal sequences (e.g., ../) and observe if unauthorized access is granted.

Specific commands or tools to detect this might include using curl or a web proxy tool to send HTTP requests with crafted cookies. For example:

  • curl -v --cookie "session=../../etc/passwd" http://<device-ip>/
  • Use a web proxy like Burp Suite to intercept and modify session cookies to include directory traversal payloads and check for unauthorized access.
Mitigation Strategies

Immediate mitigation steps include restricting access to the embedded HTTP server of Panabit PAP-XM320 devices by limiting network exposure, such as placing the device behind a firewall or VPN.

Additionally, disable or restrict HTTP management interfaces if possible, and monitor for suspicious authentication bypass attempts.

Contact Panabit support or check for firmware updates that address this vulnerability and apply patches as soon as they become available.

Impact Analysis

An attacker exploiting this vulnerability can bypass authentication on the affected device's HTTP server. This means unauthorized users could gain access to administrative or sensitive functions without proper credentials, potentially leading to unauthorized control, data exposure, or manipulation of the device.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36829. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart