CVE-2026-22234 OPEXUS CVE debrief

Who should care

Organizations using OPEXUS eCasePortal versions prior to 9.0.45.0 should prioritize upgrading to the latest version to prevent exploitation of this vulnerability. Security teams and administrators responsible for OPEXUS eCasePortal installations should be aware of this critical vulnerability and take immediate action to protect their systems.

Technical summary

The OPEXUS eCasePortal before version 9.0.45.0 is vulnerable to an unauthenticated IDOR (Insecure Direct Object Reference) attack. An attacker can navigate to the 'Attachments.aspx' endpoint and iterate through predictable 'formid' values to download or delete user-uploaded files, or upload new files. This vulnerability is due to inadequate access controls and insecure handling of file references. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability.

Defensive priority

This vulnerability has a high defensive priority due to its critical CVSS score of 9.8 and the potential for significant impact on confidentiality, integrity, and availability. Immediate action is recommended to upgrade to version 9.0.45.0 or later.

Recommended defensive actions

• Upgrade OPEXUS eCasePortal to version 9.0.45.0 or later.
• Review and adjust access controls for the 'Attachments.aspx' endpoint.
• Monitor for suspicious activity related to file uploads and downloads.
• Implement additional security measures to protect against IDOR attacks.
• Verify that all user-uploaded files are properly validated and sanitized.

Evidence notes

The vulnerability was publicly disclosed on January 7, 2026, and OPEXUS has released a fix in version 9.0.45.0. The CVE record and NVD details provide additional information about the vulnerability. The source item URL provides the official CSAF (Common Security Advisory Format) file detailing the vulnerability.

Official resources