Permission Flaw in Suprema BioStar 2 Exposes Backup Files
CVE-2026-9508

10CRITICAL

Key Information:

Vendor: Suprema
Status: BiOStar 2 (server)
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-9508?

A vulnerability in Suprema BioStar 2, specifically in versions 2.9.3 through 2.9.11, has been discovered that involves incorrect permission settings on critical resources. When administrators configure backup file paths within the NGINX webroot, these files can be publicly accessible. As a result, attackers with mere network access can exploit this flaw to download sensitive backup ZIP files directly without authentication. This exposure can lead to significant security risks, including server impersonation and unauthorized access to critical databases, potentially enabling lateral movement within affected systems.

Affected Version(s)

BioStar 2 (server) v2.9.3

BioStar 2 (server) v2.9.12

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

patch

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 25, 2026

Credit

Jordi Garcia Ribera

CVE-2026-9508 Data

JSON