CVE-2026-2672 is a path traversal vulnerability identified in Tsinghua Unigroup Electronic Archives System version 3.2.210802(62532). The flaw exists in the Download function accessed via the /Search/Subject/downLoad endpoint, where the 'path' argument is improperly sanitized. This allows an attacker to craft malicious requests that traverse directories beyond the intended file repository, potentially accessing sensitive files on the server's filesystem. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The vendor was informed early but has not issued any patches or advisories. The vulnerability has a CVSS 4.0 score of 5.3, indicating medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The availability, integrity, and confidentiality impact is limited to confidentiality (low impact), as the attacker can read files but not modify or disrupt service. The public release of an exploit increases the likelihood of attacks. The lack of vendor response and patch availability means affected organizations must rely on mitigations and monitoring. This vulnerability is particularly concerning for organizations that store sensitive or regulated data in the affected archival system, as unauthorized file access could lead to data breaches or compliance violations.

For European organizations using the Tsinghua Unigroup Electronic Archives System, this vulnerability poses a risk of unauthorized disclosure of sensitive archival data. Confidentiality is primarily impacted, as attackers can read arbitrary files on the server, potentially exposing personal data, intellectual property, or classified documents. This could lead to regulatory non-compliance under GDPR and other data protection laws, resulting in legal and financial penalties. The vulnerability does not directly affect system availability or integrity, but data exposure alone can have severe reputational and operational consequences. Since the exploit is remotely executable without authentication, attackers can target exposed systems over the internet or internal networks. Organizations in sectors such as government, research, finance, and healthcare that rely on electronic archives for critical records are especially vulnerable. The absence of a vendor patch increases the urgency for organizations to implement compensating controls to prevent exploitation and detect suspicious activity.

1. Implement strict input validation and sanitization on the 'path' parameter in the Download function to prevent directory traversal sequences such as '../'. 2. Employ allowlisting of permissible file paths or filenames to restrict downloads to authorized files only. 3. Configure the web server and application to run with the least privileges necessary, limiting file system access to only required directories. 4. Use web application firewalls (WAFs) to detect and block path traversal attack patterns targeting the vulnerable endpoint. 5. Monitor logs for unusual access patterns or attempts to access sensitive files outside the intended directories. 6. Isolate the archival system within a segmented network zone to reduce exposure to external attackers. 7. If possible, disable or restrict the Download function until a vendor patch or official fix is available. 8. Engage with the vendor or community to track any updates or patches addressing this vulnerability. 9. Conduct regular security assessments and penetration tests focusing on file access controls in the archival system. 10. Educate IT and security teams about this vulnerability and the importance of rapid incident response if exploitation is detected.