HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-34023Published Modified CNA SEC-VLab

CVE-2026-34023: Broken WebSocket authorization in Wertheim SafeController Software allows cross-branch access to restricted functions

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user's authorized branch.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Broken authorization in the WebSocket layer of Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an attacker to cross branch boundaries inside a safe deposit locker management system. An authenticated low-privilege user can reach the vulnerable endpoint over the network and manipulate WebSocket messages to reference controller identifiers belonging to other branches, bypassing access controls. Successful exploitation lets the attacker invoke restricted functions in foreign branches, including activating safe deposit boxes they are not authorized to control. No fix version has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-34023 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries, CI pipelines, and custom-built container images running Wertheim SafeController Software. Any image containing AssemblyVersion 6.15.8328.28014 will be flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 HIGH and weighting it against each environment's compliance policy to surface it at the appropriate priority level. Triage findings can be routed to the relevant team inbox within each customer organization based on configured policy rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Wertheim GmbH ships a corrected release. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to restrict WebSocket exposure at the container network boundary.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SafeController WebMessageBroker's WebSocket endpoint over the network; the service must be exposed to the attacker's network path.

  • AuthenticationRequired

    A valid low-privilege branch user account is required; any authenticated user with branch-level credentials is sufficient to attempt exploitation.

  • Victim interactionNot required

    No victim action is needed; the attacker manipulates WebSocket messages directly without requiring another user to click or approve anything.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors required to manipulate the controller identifier in a WebSocket message.

Blast Radius

  • The attacker reads data belonging to branches outside their authorized scope, including branch-level resource listings and controller state.
  • The attacker modifies branch state in foreign branches by invoking restricted functions, including activating safe deposit boxes that belong to other customers or organizational units.
  • Integrity of the physical access-control system is undermined: unauthorized box activations represent real-world physical access to secured compartments.
  • Audit and compliance records for affected branches may reflect unauthorized operations, creating accountability and forensic integrity problems.

How HarborGuard Handles This

Available on HarborGuard: images containing Wertheim SafeController Software AssemblyVersion 6.15.8328.28014 are matched against this CVE on every registry and pipeline scan. Because Wertheim GmbH has not yet published a fix, no automated rebuild PR is available today. HarborGuard re-evaluates the advisory on each ingest cycle and will queue a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment an upstream fix is released. While no patch exists, compensating controls are available through HarborGuard policy enforcement: customers can apply network-policy isolation to restrict which principals can reach the WebSocket endpoint, enable egress filtering to limit lateral reach from the container, and use feature-flag gating in supported deployment configurations to disable WebSocket broker exposure on untrusted network segments. All findings are scored at CVSS 7.1 HIGH and routed according to each environment's compliance policy.

See how HarborGuard automates this
Affected packages
  • Wertheim GmbH / Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System)
    Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
References