CVE-2026-34023
Received Received - Intake
Incorrect Authorization in Wertheim SafeController WebMessageBroker via WebSocket Manipulation

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: SEC Consult Vulnerability Lab

Description
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user's authorized branch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-34023
EUVD
EUVD-2026-36706
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wertheim safecontroller 6.15.8328.28014
wertheim safe_deposit_box_management 6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Wertheim SafeController Software involves incorrect authorization in the WebSocket communication used by the SafeController WebMessageBroker.

An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches.

This manipulation allows the attacker to access restricted functions and resources in branches they are not authorized to access, including activating boxes outside their authorized branch.

This vulnerability is critical and part of a series of issues that could potentially lead to remote code execution on the application's host with the software's privileges.

Impact Analysis

This vulnerability can allow an attacker with low-privileged credentials to bypass authorization controls and access restricted functions and resources in other branches.

Such unauthorized access could lead to manipulation or activation of safe deposit boxes outside the attacker's authorized branch.

In combination with other vulnerabilities, this flaw could enable remote code execution on the host system, potentially compromising the entire application and its data.

This could result in significant security breaches, loss of control over safe deposit boxes, and exposure of sensitive customer information.

Mitigation Strategies

The vendor has provided a patch for the vulnerability, which should be installed immediately to mitigate the risk.

Additionally, it is recommended to perform a thorough security review of the product to identify and resolve any other potential vulnerabilities.

Compliance Impact

The vulnerability in Wertheim SafeController software allows an attacker with low-privileged credentials to bypass authorization and access restricted functions and resources across branches. This unauthorized access could lead to exposure or manipulation of sensitive data managed by the system.

Such unauthorized access and potential data exposure may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, data protection, and auditability to safeguard personal and sensitive information.

However, the provided information does not explicitly discuss the direct impact on compliance frameworks or specific regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart