CVE-2026-2672 is a path traversal vulnerability identified in the Tsinghua Unigroup Electronic Archives System version 3.2.210802(62532). The vulnerability resides in the Download function accessible via the /Search/Subject/downLoad endpoint. Specifically, the function improperly sanitizes or validates the 'path' parameter, allowing an attacker to manipulate this argument to traverse directories outside the intended file storage area. This enables unauthorized access to arbitrary files on the server's filesystem. The attack vector is remote network access without requiring authentication or user interaction, making exploitation relatively straightforward. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to limited impact on confidentiality and no direct impact on integrity or availability. The vendor was informed early but has not issued a patch or mitigation guidance. Public exploit code is available, increasing the likelihood of exploitation attempts. This vulnerability could lead to sensitive data disclosure, including configuration files, credentials, or other protected documents stored on the system. Given the nature of electronic archives, the exposure of confidential organizational or personal data is a significant concern. The lack of vendor response and patch availability necessitates immediate defensive actions by affected organizations.

The primary impact of CVE-2026-2672 is unauthorized disclosure of sensitive information stored on servers running the affected version of the Tsinghua Unigroup Electronic Archives System. Attackers exploiting this path traversal can access arbitrary files, potentially including confidential documents, user data, system configuration files, or credentials. This can lead to data breaches, loss of privacy, and potential further compromise if sensitive credentials or keys are exposed. Although the vulnerability does not directly affect system integrity or availability, the exposure of critical information can facilitate subsequent attacks such as privilege escalation or lateral movement within a network. Organizations relying on this electronic archives system, especially those handling sensitive or regulated data, face reputational damage, compliance violations, and operational risks. The availability of public exploit code increases the risk of opportunistic attacks, especially in environments with internet-facing instances of the affected software. The lack of vendor patching prolongs exposure and complicates remediation efforts.

1. Immediately restrict external access to the /Search/Subject/downLoad endpoint via network controls such as firewalls or web application firewalls (WAFs) to limit exposure. 2. Implement input validation and sanitization at the application or proxy level to block path traversal patterns (e.g., '..', '%2e%2e', or other encoded traversal sequences) in the 'path' parameter. 3. Employ strict access controls and file system permissions on the server to ensure that the application process cannot access sensitive files outside its designated directories. 4. Monitor logs for suspicious requests targeting the vulnerable endpoint, especially those containing traversal sequences, and respond promptly to potential exploitation attempts. 5. If feasible, isolate the affected system in a segmented network zone to reduce the blast radius of a potential breach. 6. Engage with the vendor for updates or patches and track any future advisories. 7. Consider deploying runtime application self-protection (RASP) or intrusion detection systems (IDS) capable of detecting and blocking path traversal attacks. 8. As a longer-term measure, plan for an upgrade or replacement of the affected software with a version that addresses this vulnerability once available.