Critical severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-9508

Description

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Incorrect permissions in Suprema BioStar 2 (2.9.3-2.9.11) expose backup ZIP files via NGINX, allowing unauthenticated download of sensitive data.

Vulnerability

A critical vulnerability identified as CVE-2026-9508 affects Suprema BioStar 2 Server versions 2.9.3 through 2.9.11 [1]. The issue is caused by incorrect permission settings (CWE-732) on a critical resource: when an administrator configures the backup path within the NGINX webroot, the resulting backup ZIP files become publicly accessible [1]. An attacker can directly download these files via http(s)://[server]/download/... without any authentication [1].

Exploitation

An attacker with network access to the server can exploit this vulnerability by crafting a request to the predictable /download/ endpoint path where backup ZIP files are stored [1]. No authentication, user interaction, or special privileges are required. The attacker simply sends an HTTP GET request to the vulnerable URL to retrieve the backup archive [1].

Impact

Successful exploitation exposes highly sensitive information contained in the backup files [1]. This can include database credentials, configuration secrets, user data, and system settings, enabling server impersonation, unauthorized access to databases, and lateral movement within the network [1]. The confidentiality and integrity impact are high, and the attack can lead to complete compromise of the BioStar 2 server and connected systems [1].

Mitigation

Suprema has released a fix for this vulnerability; users should update to the latest available version of BioStar 2 Server [1]. No workaround is documented in the available references [1]. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].

References

Multiple vulnerabilities in Suprema's BioStar

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Suprema/BioStar 2llm-fuzzy
Range: >=2.9.3 <=2.9.11

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostarnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000