CVE-2026-8993

Vulnerability

The D.Launcher 2 component of the Slovak eID client ecosystem contains an Improper URL Handler Processing vulnerability. This vulnerability exists in older versions of the application for MS Windows, macOS, and GNU/Linux. The application registers custom URL handlers that can be exploited to initiate NTLM authentication or SMB connections to attacker-controlled infrastructure, and to conduct Server Side Request Forgery (SSRF) attacks.

Exploitation

An attacker can exploit this vulnerability by tricking a user into opening a specially crafted URL. This user interaction is required for the vulnerability to be triggered. Once the URL is opened, the attacker can potentially redirect the application to authenticate using NTLM or establish an SMB connection to their infrastructure, enabling SSRF attacks.

Impact

Successful exploitation allows an attacker to force the application to authenticate to their infrastructure using NTLM or establish an SMB connection. This can lead to the disclosure of sensitive information, unauthorized access to internal resources via SSRF, or potentially other impacts depending on the attacker's infrastructure and the context in which the D.Launcher 2 application is running.

Mitigation

The vulnerability was fixed in D.Launcher 2 v2.0.7.0 and D.Suite/eIDAS v2.0.7, released on May 5, 2026 [1]. The fix includes updating vulnerable libraries, removing the registration of the ditec-dlauncher2f:// URI scheme, and disabling internet access for the ditec-dlauncher2:// URI scheme. Users are strongly recommended to update to the latest versions of the affected applications [2].