VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 15, 2026

CVE-2026-34027

CVE-2026-34027

Description

Authenticated users can bypass file type validation in SafeController's document upload endpoint by spoofing the Content-Type header, allowing upload of arbitrary files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users can bypass file type validation in SafeController's document upload endpoint by spoofing the Content-Type header, allowing upload of arbitrary files.

Vulnerability

The Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload if this value contains an allowed string such as pdf, jpeg, tiff, or png. An authenticated attacker with any role can spoof the Content-Type value and upload arbitrary file content [1].

Exploitation

An attacker needs valid authentication credentials for the SafeController application (any role/permission level is sufficient). The attacker then sends a crafted HTTP request to the upload endpoint with arbitrary file content and sets the Content-Type header to a value that includes one of the allowed strings (e.g., image/png). No additional user interaction or privileges are required [1].

Impact

Successful exploitation allows an attacker to upload arbitrary files to the server. Combined with the fact that the application service runs with highly privileged user rights (a deployment issue noted in [1]), this file upload can be leveraged to achieve remote code execution on the host in the context of the service account. This compromises the confidentiality, integrity, and availability of the system [1].

Mitigation

The vendor has released a patch to address this vulnerability; specific version information was not provided. SEC Consult recommends contacting the vendor directly to obtain the update. No workaround has been disclosed [1].

References
  1. Multiple Critical Vulnerabilities in Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application validates uploaded files based on the user-controlled HTTP Content-Type value rather than inspecting the actual file content."

Attack vector

An authenticated attacker with any role or permission level can upload arbitrary file content by spoofing the HTTP `Content-Type` header to contain an allowed string such as `pdf`, `jpeg`, `tiff`, or `png` [ref_id=1]. Because the application performs insufficient server-side file type validation — only checking the user-supplied Content-Type value — the attacker bypasses the intended restriction and can save files of any type, including executable code [ref_id=1]. A valid session is required, but no special role or permission level is needed [ref_id=1].

Affected code

The vulnerability occurs in the `/safe/contract/uploadcustomdocuments` endpoint of the Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014). The server-side validation relies solely on the user-controlled HTTP `Content-Type` header rather than inspecting the actual file content or server-side MIME detection.

What the fix does

The advisory states that the vulnerability stems from insufficient application-side file type validation but does not include a patch or detailed remediation code [ref_id=1]. To close the vulnerability, the application must validate uploaded files based on their actual content (e.g., inspecting file magic bytes) rather than trusting the user-supplied Content-Type header. Additionally, the server should enforce a strict allow-list of permitted file extensions and check that the file's MIME type matches its content.

Preconditions

  • authValid user session with any role or permission level
  • networkNetwork access to the /safe/contract/uploadcustomdocuments endpoint
  • inputHTTP Content-Type header must contain an allowed string (pdf, jpeg, tiff, or png)

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.