How is CVE-2026-8464 exploited?

Network reachability (info): The attacker must be on the same adjacent network, LAN, or VPN segment as the target server; remote internet-based access alone is not sufficient. Authentication (not-required): No credentials of any privilege level are needed; the vulnerable HTTP endpoint is exposed to unauthenticated requests. Victim interaction (not-required): The attacker sends crafted HTTP requests directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental factors are required.

What is the impact of CVE-2026-8464?

Reads arbitrary files from the server's operating system, including application configuration files that may contain database credentials, API keys, or service account secrets. Reads files accessible to the server process from the broader infrastructure environment (SC:H), meaning secrets shared across connected systems may also be exposed. Confidentiality of all data stored in files reachable by the server process is fully compromised; there is no integrity or availability impact from this vulnerability directly.

Back to search

HIGHCVE-2026-8464Published 2026-06-11Modified 2026-06-11CNA CERT-PL

CVE-2026-8464: Path traversal in Neuron Soft Golem OEE MES

Golem OEE MES is vulnerable to an unauthenticated path traversal flaw. This vulnerability allows an attacker in the same local network to read arbitrary files from the server's operating system by manipulating HTTP request paths. This issue has been fixed in version 11.6.0

CVSS v4.0: 8.3
Severity: HIGH
Fixed in: 11.6.0
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Neuron Soft Golem OEE MES allows an unauthenticated attacker on the same local network or VPN segment to read arbitrary files from the server's operating system by manipulating HTTP request paths. No credentials are required to exploit this flaw, and no victim interaction is needed. Successful exploitation gives the attacker full read access to files on the host, including configuration files, credentials, and any other data the server process can reach. A patched-image rebuild at version 11.6.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-8464 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Golem OEE MES. Any image running a version of Golem OEE MES below 11.6.0 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 8.3 (High) and weighting that score against each environment's compliance policy to surface the finding at the appropriate severity tier. Routing to the correct team inbox within each customer organization is supported based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Golem OEE MES version 11.6.0 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test pass, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network, LAN, or VPN segment as the target server; remote internet-based access alone is not sufficient.
AuthenticationNot required
No credentials of any privilege level are needed; the vulnerable HTTP endpoint is exposed to unauthenticated requests.
Victim interactionNot required
The attacker sends crafted HTTP requests directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental factors are required.

Blast Radius

Reads arbitrary files from the server's operating system, including application configuration files that may contain database credentials, API keys, or service account secrets.
Reads files accessible to the server process from the broader infrastructure environment (SC:H), meaning secrets shared across connected systems may also be exposed.
Confidentiality of all data stored in files reachable by the server process is fully compromised; there is no integrity or availability impact from this vulnerability directly.

How HarborGuard Handles This

Available on HarborGuard: any image containing Golem OEE MES below version 11.6.0 is detectable within minutes of the CVE entering the upstream feed, matched across all registries and pipelines a customer has connected, including internally built images. Triage is available at the published CVSS v4.0 score of 8.3 (High), with compliance-policy weighting to route findings to the appropriate team. Because a fix exists at version 11.6.0, a patched-image rebuild is available immediately. For customers who opt into auto-remediation, HarborGuard can rebuild the image at 11.6.0, run a regression test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Given the adjacent-network attack vector, customers who cannot immediately upgrade should consider network-policy controls that restrict access to the Golem OEE MES HTTP port to trusted network segments only, as a compensating control while the patched rebuild is validated and promoted.

See how HarborGuard automates this

Fix available

11.6.0

Affected packages

Neuron Soft / Golem OEE MES
< 11.6.0 (from 0)

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available