CVE-2026-34023 | The Wertheim SafeController Software, AssemblyVersion 6.15.8… | CVSS 7.1 HIGH

Description

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user's authorized branch.

Metadata

CVE ID: CVE-2026-34023
State: PUBLISHED
Assigner: SEC-VLab
Reserved: 2026-03-25 10:46 UTC
Published: 2026-06-15 10:03 UTC
Last updated: 2026-06-15 12:27 UTC
Primary CWE: CWE-863
CWE-863 Incorrect Authorization
Vendor / Product: Wertheim GmbH / Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Wertheim GmbH	Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)	—	Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863 Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

References (2)