CVE-2026-2752 is a vulnerability identified in Navtor NavBox version 4.12.0.3 involving improper error handling that leads to information disclosure (CWE-209). The flaw exists in the /api/ais-data endpoint, where crafted requests by remote, unauthenticated attackers trigger unhandled exceptions. These exceptions cause the server to return verbose .NET stack traces in the HTTP response. The stack traces reveal sensitive internal details such as class names, method calls, and references to third-party libraries like System.Data.SQLite. This information leakage can assist attackers in mapping the internal architecture of the application, potentially facilitating more sophisticated attacks such as code injection, privilege escalation, or targeted exploitation of other vulnerabilities. The vulnerability does not require authentication or user interaction, increasing its accessibility to attackers. However, it does not directly compromise data integrity or system availability. No patches or exploits are currently publicly available, but the disclosure of internal application details represents a significant security concern. Proper error handling and sanitization of error messages are lacking, which is the root cause of this vulnerability.

The primary impact of CVE-2026-2752 is information disclosure, which can aid attackers in reconnaissance and planning further attacks against NavBox or the underlying infrastructure. While the vulnerability does not directly affect data integrity or availability, the exposure of internal application details can increase the risk of subsequent exploitation, including injection attacks or privilege escalation. Organizations using NavBox 4.12.0.3, especially in maritime navigation and fleet management, could face increased risk of targeted attacks that leverage this information. The vulnerability’s ease of exploitation without authentication or user interaction broadens the attack surface. However, the impact remains medium as it does not immediately compromise sensitive data or system functionality. The lack of known exploits in the wild suggests limited active exploitation currently, but the risk remains for opportunistic attackers. Maritime companies, shipping operators, and related logistics providers relying on NavBox are the most affected, potentially impacting operational security and confidentiality.

To mitigate CVE-2026-2752, organizations should implement the following specific measures: 1) Update or patch NavBox to a version where error handling is properly sanitized to avoid leaking stack traces; if no patch is available, contact Navtor for guidance or temporary fixes. 2) Configure the application and underlying .NET framework to disable detailed error messages in production environments, ensuring only generic error responses are returned to clients. 3) Implement web application firewalls (WAFs) with rules to detect and block malformed or suspicious requests targeting the /api/ais-data endpoint. 4) Conduct thorough input validation and exception handling within the application to prevent unhandled exceptions from propagating to the client. 5) Monitor logs for repeated or anomalous requests to the vulnerable endpoint that may indicate exploitation attempts. 6) Restrict access to the /api/ais-data endpoint to trusted networks or authenticated users where feasible, reducing exposure. 7) Perform security assessments and penetration testing focused on error handling and information leakage to identify similar issues. These targeted actions go beyond generic advice by focusing on error message management, access control, and proactive monitoring tailored to this vulnerability.