Incorrect Permission Assignment for Critical Resource vulnerability in Suprema’s BioStar

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Description

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.

Basic Information

ID CVE-2026-9508

Source INCIBE

Published May 29, 2026 at 12:09

Modified May 29, 2026 at 13:33

Affected Product

Vendor Suprema

Product BioStar 2 (server)

Version v2.9.3

Affected Versions Suprema BioStar 2 (server) v2.9.3

CWE Classification

CWE-732

References

www.incibe.es /en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar

{
    "lastseen": "",
    "description": "Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via \u2018http(s)://[server]/download/\u2026\u2019 without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.",
    "published": "2026-05-29T12:09:02.026Z",
    "modified": "2026-05-29T13:33:31.937Z",
    "type": "cve",
    "title": "Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar",
    "id": "CVE-2026-9508",
    "bulletinFamily": "",
    "cwe": [
        "CWE-732"
    ],
    "cvelist": null,
    "sourceData": "Suprema BioStar 2 (server) v2.9.3",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "BioStar 2 (server)",
    "version": "v2.9.3",
    "vendor": "Suprema",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Incorrect Permission Assignment for Critical Resource vulnerability in Suprema’s BioStar_CVE-2026-9508