CVE-2026-51926 in FSM Client
Summary
by MITRE • 07/10/2026
An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in docuForm GmbH FSM Client version 11.11c represents a critical security flaw that undermines the integrity of the authentication system through improper error handling mechanisms. This issue manifests within the login.php component where the application fails to provide consistent response behavior for authentication attempts, creating predictable patterns that reveal account existence status. The flaw stems from the application's inability to maintain uniform server responses regardless of whether a username exists in the system or not, thereby exposing sensitive information through subtle variations in timing, error messages, or response codes.
The technical implementation of this vulnerability directly relates to CWE-200, which addresses information exposure, and CWE-384, which covers session management flaws. The authentication mechanism lacks proper input validation and consistent error handling, allowing attackers to distinguish between valid and invalid usernames through differential analysis of server responses. This type of user enumeration attack operates under the principles of the ATT&CK framework's credential access tactics, specifically targeting the T1111 technique for web application credentials. The vulnerability enables an attacker to systematically identify legitimate accounts within the system, which serves as a foundational step for more sophisticated attacks such as brute-force or credential stuffing operations.
The operational impact of this vulnerability extends beyond simple information disclosure, creating a pathway for unauthorized access that can lead to complete system compromise. Attackers can leverage the enumerated user accounts to conduct targeted brute-force campaigns against weak passwords, or deploy credential stuffing techniques using compromised credentials from other data breaches. The exposure of valid usernames also facilitates social engineering attacks and provides attackers with valuable intelligence for planning more effective infiltration strategies. This vulnerability particularly affects organizations that rely on the FSM Client for document management and workflow processes, potentially compromising sensitive business documents and operational data.
Mitigation strategies should focus on implementing consistent error handling throughout the authentication process, ensuring that all authentication attempts return identical response patterns regardless of account validity. Organizations must deploy proper input sanitization and validation mechanisms that prevent attackers from inferring account status through response variations. The implementation of rate limiting and account lockout mechanisms can help prevent automated enumeration attacks, while multi-factor authentication should be considered as a defense-in-depth measure. Additionally, regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in authentication systems, ensuring compliance with security standards such as those outlined in the OWASP Top Ten and NIST Cybersecurity Framework.