CVE-2026-21409 is an authorization bypass vulnerability identified in Ricoh Streamline NX, a document workflow and management solution widely used in enterprise environments. The affected versions range from 3.5.1 to 24R3. The vulnerability arises due to improper authorization controls when processing user requests, specifically in scenarios where an attacker can intercept and manipulate communication between the client and the server (man-in-the-middle attack). By crafting specific requests during such an interception, the attacker can retrieve sensitive user registration information and OpenID Connect (OIDC) tokens. OIDC tokens are critical for authentication and authorization processes, and their compromise can lead to unauthorized access to user accounts or services. The vulnerability does not require the attacker to have prior authentication or user interaction, but the attacker must be able to intercept network traffic, which typically requires network-level access or control over communication channels. The CVSS v3.0 base score is 5.9, indicating a medium severity level, with the vector highlighting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No public exploits have been reported yet, but the exposure of OIDC tokens poses a significant risk for identity and access management compromise. The vulnerability underscores the importance of securing communication channels and proper authorization checks within Ricoh Streamline NX products.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive user registration data and authentication tokens, potentially enabling attackers to impersonate users or escalate privileges within document management workflows. This can result in data breaches, unauthorized document access, and compromise of identity management systems integrated via OIDC. Organizations handling sensitive or regulated data (e.g., financial, healthcare, government) face increased risk of compliance violations under GDPR and other data protection laws. The impact is heightened in environments where Ricoh Streamline NX is integrated with critical business processes or identity providers. Since exploitation requires network-level interception, organizations with less secure internal networks or remote access configurations are more vulnerable. The lack of impact on integrity and availability limits direct disruption but does not reduce the risk of downstream attacks leveraging stolen credentials or tokens.

1. Immediately restrict network access to Ricoh Streamline NX servers, ensuring they are not exposed to untrusted networks or the internet. 2. Implement strong encryption protocols (e.g., TLS 1.2 or higher) for all communications between clients and the Ricoh Streamline NX server to prevent MITM attacks. 3. Employ network segmentation and monitoring to detect unusual traffic patterns indicative of interception or tampering. 4. Use endpoint security solutions to prevent attackers from gaining network access required for MITM. 5. Regularly audit and update identity provider configurations and OIDC token lifetimes to minimize token exposure risk. 6. Apply vendor patches or updates as soon as they become available to address the vulnerability directly. 7. Educate users and administrators on the risks of connecting through insecure networks and the importance of VPNs or secure channels. 8. Consider implementing additional multi-factor authentication (MFA) on critical systems to mitigate risks from token compromise. 9. Conduct penetration testing and vulnerability assessments focusing on network security around Ricoh Streamline NX deployments.