CVE-2026-22235 is an authorization bypass vulnerability identified in the OPEXUS eComplaint software, specifically affecting versions before 9.0.45.0. The vulnerability arises due to insufficient authorization validation on the 'DocumentOpen.aspx' endpoint, which accepts a user-controlled parameter named 'chargeNumber'. An attacker can exploit this by iterating through predictable 'chargeNumber' values, effectively enumerating and downloading any uploaded files associated with those identifiers without requiring authentication or user interaction. This vulnerability is classified under CWE-639, which involves authorization bypass through user-controlled keys, indicating that the system fails to properly verify whether the requesting user has permission to access the requested resource. The CVSS 3.1 base score is 7.5 (high), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack can be performed remotely over the network with low complexity, no privileges, and no user interaction, resulting in a high confidentiality impact but no integrity or availability impact. The vulnerability could lead to unauthorized disclosure of sensitive complaint documents, potentially exposing personal or confidential information. No public exploits have been reported yet, but the predictable nature of the parameter and lack of authentication requirements make exploitation straightforward. The absence of a patch link suggests that remediation may require vendor intervention or configuration changes. Organizations relying on OPEXUS eComplaint for complaint management should urgently assess their exposure and apply any available updates or mitigations.

For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure, particularly of sensitive complaint-related documents that may contain personal data protected under GDPR. Exposure of such information could lead to privacy violations, regulatory penalties, reputational damage, and loss of customer trust. Since the vulnerability allows unauthenticated remote access to files, attackers could systematically harvest sensitive data without detection. This risk is heightened for public sector bodies, legal firms, or companies handling consumer complaints who use OPEXUS eComplaint. The breach of confidentiality could also facilitate further targeted attacks or social engineering campaigns. Additionally, organizations may face legal consequences under European data protection laws if they fail to secure complaint data adequately. The lack of integrity or availability impact limits the threat to data leakage rather than system disruption, but the sensitivity of the data involved makes this a critical concern.

European organizations should immediately verify their version of OPEXUS eComplaint and upgrade to version 9.0.45.0 or later once available. In the absence of an official patch, organizations should implement strict network-level access controls to restrict access to the 'DocumentOpen.aspx' endpoint, such as IP whitelisting or VPN-only access. Application-level mitigations include implementing additional authorization checks to validate user permissions against the requested 'chargeNumber' parameter. Monitoring and logging access to complaint documents should be enhanced to detect unusual enumeration patterns or repeated access attempts. Employing web application firewalls (WAFs) with custom rules to block requests with suspicious parameter values can reduce exposure. Regular security audits and penetration testing focused on authorization controls are recommended. Finally, organizations should review data retention policies to minimize the amount of sensitive data stored and ensure encrypted storage of complaint documents to reduce impact if accessed.