CVE-2026-8464: Golem OEE MES Unauthenticated Path Traversal Vulnerability

nick

CVE-2026-8464: Golem OEE MES Unauthenticated Path Traversal Vulnerability

by

CVE: CVE-2026-8464 | CVSS 4.0: 8.3 (HIGH) | CWE: CWE-22 | Vendor: Golem | Product: Golem OEE MES | Affected versions: < 11.6.0

What Is the Vulnerability

CVE-2026-8464 is a high-severity path traversal vulnerability in the Golem OEE MES (Overall Equipment Effectiveness Manufacturing Execution System) that allows unauthenticated attackers on the local network to read arbitrary files from the server operating system.

The vulnerability arises from insufficient validation of user-supplied file paths in the application. An attacker who can reach the Golem OEE MES web interface from the local network can craft specially formed HTTP requests containing path traversal sequences (such as ../) to escape the intended web application directory and access sensitive operating system files — including configuration files, credential stores, system logs, and other private data on the underlying server.

No authentication credentials or user interaction are required to exploit this vulnerability. The attacker only needs network adjacency to the target — they do not require a valid user account on the MES platform. This low barrier to entry, combined with the sensitivity of data typically present on manufacturing execution systems, makes CVE-2026-8464 a serious concern for industrial environments.

The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). The application fails to properly sanitise or restrict file path parameters, enabling directory traversal beyond the intended scope.

OT/IT Convergence Risk

Golem OEE MES is a manufacturing execution system deployed in industrial environments to monitor and manage production operations, equipment effectiveness, and shop-floor data. As a bridge between OT (Operational Technology) and IT systems, an MES platform often sits at the convergence boundary with network access to both the enterprise IT network and the industrial control network.

A path traversal vulnerability on an MES platform carries elevated risk for several reasons:

  • Sensitive file exposure: The server may contain production schedules, quality data, recipe parameters, batch records, and equipment configuration files — all potentially accessible through arbitrary file read.
  • Credential harvesting: Configuration files on the MES server may contain database credentials, API keys, LDAP bind credentials, or integration secrets that could be used to pivot deeper into either the IT or OT network.
  • Reconnaissance for further attacks: Reading system files, application logs, or network configuration files provides attackers with detailed intelligence for lateral movement and privilege escalation.
  • Regulatory exposure: Manufacturing data accessed through this vulnerability may be subject to compliance requirements under frameworks such as NIST SP 800-82, IEC 62443, or industry-specific regulations.

Organisations operating Golem OEE MES should treat this vulnerability with heightened urgency given the OT/IT convergence context.

Versions Affected

  • Golem OEE MES all versions prior to 11.6.0

Organisations running any release of Golem OEE MES below version 11.6.0 are affected and should upgrade immediately. The vulnerability is present in the core application and does not depend on specific configuration options or optional modules.

Exploited?

No known active exploitation has been confirmed at the time of this writing. However, the vulnerability characteristics warrant urgent patching attention:

  • Unauthenticated access: No credentials, session tokens, or user interaction are required. Any attacker with local network access can exploit the vulnerability.
  • Low attack complexity: Path traversal is one of the most well-understood and easily automated vulnerability classes. Once disclosed, exploit development is trivial.
  • OT/IT target profile: Manufacturing execution systems are high-value targets for both cybercriminals and nation-state actors. The MES sits at a privileged network position bridging OT and IT.
  • Predictable exploitation pattern: Path traversal vulnerabilities are highly reproducible. Mass scanning and exploitation activity should be expected once technical details are public.

Organisations should patch promptly rather than waiting for confirmed exploitation activity. The window between public disclosure and active targeting is likely to be short.

Fix

Golem has released version 11.6.0 which addresses the path traversal vulnerability.

  • Upgrade to Golem OEE MES 11.6.0 or later. The patched version implements proper path sanitisation and restricts file access to authorised directories.
  • Verify the upgrade. After applying the update, confirm the version number in the MES administration console reflects 11.6.0 or higher.
  • Review access controls. As a defence-in-depth measure, ensure that the Golem OEE MES web interface is not unnecessarily exposed beyond the local network segment required for operations. Network segmentation between IT and OT environments should restrict access to only authorised users and systems.

Recommendations

  • Patch immediately. Upgrade all Golem OEE MES instances to version 11.6.0. Prioritise systems that are reachable from user networks or that sit at the IT/OT boundary.
  • Audit file access logs. Review web server and application logs for evidence of path traversal attempts — look for patterns containing ../, URL-encoded traversal sequences, or other path manipulation signatures in URI parameters. Investigate any successful reads of files outside the expected web application directory.
  • Harden the MES server. Apply the principle of least privilege to the service account running the Golem OEE MES application. Restrict file system permissions so that the application account can only read files necessary for its operation.
  • Segment the network. Ensure the MES server is placed in an appropriately segmented network zone with strict firewall rules. Unauthenticated attacks require network adjacency, so limiting which hosts can reach the MES interface reduces the attack surface.
  • Monitor for anomalies. Deploy detection rules for unusual file access patterns, unexpected outbound connections from the MES server, or anomalous process behaviour that could indicate post-exploitation activity.
  • Inventory all MES deployments. Manufacturing environments may have multiple MES instances across plants, lines, or sites. Verify the version of every deployment and ensure none are overlooked during the patching cycle.

References

This is a Vulnerability Intelligence advisory covering CVE-2026-8464. Part of the Vulnerability Intelligence series on threat-modeling.com.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!