CVE-2024-6789 in Server
Summary
by MITRE • 08/27/2024
A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/23/2026
The vulnerability identified as CVE-2024-6789 represents a critical path traversal flaw within the M-Files Server application ecosystem. This security weakness affects multiple versions including the standard release before 24.8.13981.0 and several long-term support releases such as LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6. The flaw resides in an API endpoint that processes file access requests, creating an opportunity for authenticated attackers to bypass normal file system access controls and retrieve arbitrary files from the server's file system.
The technical implementation of this vulnerability stems from inadequate input validation and path sanitization within the API endpoint handling file operations. When authenticated users submit requests through the vulnerable API, the application fails to properly validate or sanitize the file path parameters, allowing attackers to manipulate these inputs using directory traversal sequences such as ../ or ..\ to navigate outside the intended directory boundaries. This weakness directly maps to CWE-22, which specifically addresses path traversal vulnerabilities where insufficient input validation enables unauthorized access to files outside the expected directory structure.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it provides attackers with the capability to potentially read sensitive configuration files, database credentials, application source code, or other confidential data stored on the server. Given that the vulnerability requires only authenticated access, it represents a significant risk in environments where user accounts may be compromised or where legitimate users have elevated privileges. The implications are particularly severe in enterprise document management systems like M-Files Server, where sensitive business data, contracts, and proprietary information are typically stored in structured repositories.
Security professionals should consider this vulnerability in the context of ATT&CK framework's T1083 (File and Directory Discovery) and T1566 (Phishing) techniques, as it enables attackers to discover and extract sensitive files that could subsequently be used for further attacks or data exfiltration. The vulnerability's presence in multiple release versions including LTS branches indicates a prolonged window of exposure that organizations should address immediately through patch management processes.
Organizations should implement immediate mitigations including applying the vendor-provided patches for M-Files Server versions 24.8.13981.0 and the respective LTS releases, implementing additional input validation at the network level, and conducting comprehensive security assessments of file access APIs within their document management systems. The vulnerability demonstrates the critical importance of proper input validation and access control implementation in enterprise applications, particularly those handling sensitive business data in document management environments.