CVE-2026-6180 MEDIUM

CVE-2026-6180: PaperCut MF: Card truncation on HP readers

Vendor Papercut
Product PaperCut NG/MF
Weakness CWE-367
Published May 5, 2026
Last update May 5, 2026

CVSS base score

4.1/10
Attack vector Physical
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes. This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device.

Key dates

02Disclosure timeline

May 5, 2026 CVE published
May 5, 2026 Record updated