CVE-2026-6180

HIGH

PaperCut MF: Card truncation on HP readers

Title source: cna

Description

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes. This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device.

References (1)

Core 1

Core References

https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/

Scores

CVSS v3 8.1

EPSS 0.0023

EPSS Percentile 13.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-367

Status published

Products (4)

PaperCut/PaperCut NG/MF < 24.1.9

PaperCut/PaperCut NG/MF < 25.0.10

papercut/papercut_mf < 24.1.9

papercut/papercut_ng < 24.1.9

Published May 05, 2026

Tracked Since May 05, 2026