File Access Vulnerability in LabOne Web Server by Zurich Instruments
CVE-2026-6903

8.7HIGH

Key Information:

Vendor: Zurich Instruments
Status: Labone
Vendor: CVE Published:; 23 April 2026

🔔 Create Zurich Instruments Vulnerability Alert

What is CVE-2026-6903?

The LabOne Web Server, integral to the LabOne User Interface provided by Zurich Instruments, suffers from insufficient input validation in its file access functionality. This may allow an unauthenticated attacker to read arbitrary files that are accessible to the user running the LabOne software. Moreover, the server fails to adequately restrict cross-origin requests, enabling remote attackers to exploit this vulnerability by directing victims to malicious sites. Installation scenarios running solely on LabOne APIs without the initiation of the Web Server remain unaffected.

Affected Version(s)

LabOne 0 < 26.01.3.9

References

https://www.zhinst.com/support/security/2026/zi-sa-2026-001/

vendor-advisory

https://www.zhinst.com/support/download-center/

patch

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-6903 Data

JSON