The OctoPrint-SpoolManager plugin, developed by WildRikku, is designed to manage 3D printing filament spools and their usage metadata within the OctoPrint ecosystem. Versions 1.8.0a2 and older in the testing branch, and 1.7.7 and older in the stable branch, suffer from an improper authentication vulnerability (CWE-287). Specifically, the plugin's APIs do not correctly enforce authentication or authorization, allowing unauthenticated remote attackers to access and manipulate spool data without restriction. This could lead to unauthorized disclosure of sensitive spool usage information, unauthorized modification or deletion of spool records, and potential disruption of 3D printing workflows. The vulnerability has been addressed in versions 1.8.0a3 (testing) and 1.7.8 (stable). Additionally, the impact is significantly reduced when the plugin is used with OctoPrint version 1.11.2 or later, which likely includes enhanced security controls. The CVSS v3.1 base score is 8.1, indicating a high severity due to network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the ease of exploitation and critical impact make timely patching essential.

For European organizations utilizing OctoPrint with the SpoolManager plugin, this vulnerability poses a significant risk to the confidentiality and integrity of 3D printing spool data, which may include proprietary or sensitive manufacturing information. Unauthorized access could allow attackers to disrupt production workflows by altering or deleting spool metadata, potentially causing downtime or defective prints. In sectors such as manufacturing, research, and prototyping—where 3D printing is integral—this could lead to operational delays and financial losses. Moreover, compromised spool data might expose intellectual property or usage patterns, increasing the risk of industrial espionage. The vulnerability's network accessibility and lack of required authentication amplify the threat, especially in environments where OctoPrint instances are exposed or insufficiently segmented. However, organizations running OctoPrint 1.11.2 or newer will experience reduced impact due to improved security measures in the core platform.

European organizations should immediately verify their OctoPrint-SpoolManager plugin version and upgrade to at least 1.7.8 (stable) or 1.8.0a3 (testing) to remediate the vulnerability. Additionally, upgrading the OctoPrint core to version 1.11.2 or newer is strongly recommended to benefit from enhanced security controls that mitigate the impact. Network segmentation should be enforced to restrict access to OctoPrint instances, limiting exposure to trusted internal networks only. Implementing strong firewall rules and VPN access for remote connections can further reduce attack surface. Regularly audit and monitor API access logs for unusual activity indicative of exploitation attempts. Disable or uninstall the SpoolManager plugin if it is not essential to operations. Finally, maintain an up-to-date inventory of all 3D printing infrastructure components and apply security patches promptly to minimize exposure.