Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

PaperCut NG/MF and PaperCut Hive Security Bulletin (May 2026)

THE PAGE APPLIES TO:

PaperCut NG product logo PaperCut MF product logo PaperCut Pocket product logo PaperCut Hive product logo

Last updated May 5, 2026

Summary

At PaperCut, we are consistently working on improving the security posture of our products. This ongoing commitment involves regular internal audits, proactive “pattern hunting” in our codebase, and collaboration with external security researchers. This process is designed to identify and remediate potential issues before they can be exploited.

PaperCut prioritizes the safety of our customers through a responsible disclosure policy. As part of this approach, you may observe specific CVE identifiers appearing in our product release notes before a formal security bulletin or a CVE database entry is fully published. This “fix-first” strategy allows us to provide immediate protection while delaying the publication of technical details that could be used to develop exploits. Full documentation is published only when we are confident that disclosure no longer poses an immediate risk to our customer base.

This bulletin addresses three security vulnerabilities:

  • CVE-2026-6180 (HP Badge Data): A race condition that could lead to unauthorized user logins in environments using custom badge-processing scripts.
  • CVE-2026-6418 (Shared Account Sync): A path traversal vulnerability allowing administrators to access unauthorized local system files.
  • CVE-2026-7824 (Ricoh Diagnostic Logs): An issue where administrative credentials were inadvertently recorded in plain text when “Deep Logging” was enabled.

Recommendation: PaperCut recommends that PaperCut NG/MF customers upgrade to version 25.0.11 (or later) and PaperCut Hive customers running the Ricoh Embedded App update to version 2.2.0 (or later) to ensure these protections are applied.

Security issues addressed

CVENotesCVSS rating and vector
CVE-2026-6180

PaperCut NG/MF: Card truncation on HP readers

A race condition existed in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may have incorrectly processed fragmented data chunks. If a sequence reset notification failed to reach the server, the server may have rejected the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes.

This led to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability was compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device.

Vulnerability Type: Time-of-check time-of-use (TOCTOU) race condition, Improper Input Validation.

Impact: Unauthorised access.

Fixed in: PaperCut NG/MF 24.1.9, 25.0.10

4.1 (MEDIUM)

CVSS:4.0
AV:P/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

CVE-2026-6418

PaperCut NG/MF: Path Traversal in Shared Account Synchronization		An issue was discovered in the Shared Account Synchronization component of PaperCut MF. The application allowed administrative users to configure a source path for account data synchronization.

Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges could specify arbitrary file paths on the local file system. This allowed for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files.

This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running.

Vulnerability Type: Absolute Path Traversal, Files or directories accessible to external parties

Impact: Information Disclosure

Fixed in: PaperCut NG/MF 25.0.11

4.6 (MEDIUM)

CVSS:4.0
AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

CVE-2026-7824

PaperCut Hive (Ricoh): Plain text password in logs		An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files.

An attacker with administrative access to the PaperCut Hive management portal could remotely enable deep logging and subsequently retrieve sensitive device passwords from the logs after an authorized user authenticates at the device.

Vulnerability Type: Insertion of sensitive information into log file

Impact: This could potentially allow the administrators to learn other administrator’s credentials and impersonate them.

Fixed in: PaperCut Hive (Ricoh Embedded App) 2.2.0

5.9 (MEDIUM)

CVSS:4.0
AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Who is impacted

You are likely impacted if you meet the following conditions:

  • For CVE-2026-6180 and CVE-2026-6418: You are running PaperCut NG/MF versions prior to 25.0.11.
  • For CVE-2026-7824: You are a PaperCut Hive customer utilizing Ricoh devices running the PaperCut Embedded App versions prior to 2.2.0.

Steps to resolve

PaperCut recommends that all customers upgrade to the latest versions of their respective products inline with their standard maintenance and upgrade cycles.

  1. Upgrade PaperCut NG/MF: Download and install the latest build from the PaperCut website.
  2. Verify Secure Configuration (CVE-2026-6418): In addition to upgrading, we recommend reviewing the security.shared-account-sync.allowed-directory-list config key to ensure it is restricted to authorized directories only. For new installations of v25.0.11 and later, this setting is configured in its most restrictive state by default. Refer to our Secure Configuration Guide for further details.
  3. Update Embedded Software: For Ricoh fleets managed via PaperCut Hive, ensure the embedded application is updated to the latest version (2.2.0 or later) through the Hive management console.

FAQs

Q Can i resolve these vulnerabilities without upgrading?

No. These security improvements require code-level changes found only in the latest releases. To resolve these issues, PaperCut NG/MF customers must upgrade to v25.0.11 (or v24.1.9 / v25.0.10 for badge-specific fixes), while the Ricoh fix for PaperCut Hive (CVE-2026-7824) requires the Ricoh Embedded App v2.2.0 or later.

Q Was there any evidence of these vulnerabilities being exploited?

No. These fixes have been applied through our internal security research and proactive auditing processes. They are not a response to any known exploits.

Security notifications

To stay informed about high impact security updates please subscribe to our Security notifications sign-up form.

Updates

Date

Update/action

5 May, 2026 (AEST)

Published the initial Security Bulletin.



Category: FAQ

Subcategory: Security and Privacy

Comments