CVE-2026-6180 | THREATINT

Description

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes. This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device.

PUBLISHED Reserved 2026-04-13 | Published 2026-05-05 | Updated 2026-05-05 | Assigner PaperCut

MEDIUM: 4.1CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-367 Time-of-check time-of-use (TOCTOU) race condition

CWE-20 Improper input validation

Product status

Default status

unaffected

Any version before 24.1.9

affected

Any version before 25.0.10

affected

References

www.papercut.com/...apercut-hive-security-bulletin-may-2026/

cve.org (CVE-2026-6180)

nvd.nist.gov (CVE-2026-6180)

Download JSON