CVE-2026-6180: CWE-367 Time-of-check time-of-use (TOCTOU) race condition in PaperCut PaperCut NG/MF
A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes. This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device.
AI Analysis
Technical Summary
This vulnerability arises from a time-of-check time-of-use (TOCTOU) race condition in PaperCut NG/MF when handling badge-swipe data. Network issues such as dropped packets and out-of-order sequence counters can cause the server to reject the initial data chunk but accept subsequent chunks before a connection reset completes. This results in a truncated badge ID string being registered. In setups with custom badge-ID post-processing, this truncated string can be converted into a valid badge ID of another user, allowing incorrect user login on the device.
Potential Impact
The primary impact is the potential for unauthorized session establishment on affected devices due to incorrect user login. This occurs when truncated badge ID strings are transformed into valid IDs of other users by custom post-processing scripts. Typically, the vulnerability leads to authentication failures, but in specific configurations, it can cause privilege misattribution. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented. Until a patch is available, organizations should review and potentially disable custom badge-ID post-processing scripts to mitigate the risk of incorrect user login resulting from truncated badge IDs.
CVE-2026-6180: CWE-367 Time-of-check time-of-use (TOCTOU) race condition in PaperCut PaperCut NG/MF
Description
A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes. This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from a time-of-check time-of-use (TOCTOU) race condition in PaperCut NG/MF when handling badge-swipe data. Network issues such as dropped packets and out-of-order sequence counters can cause the server to reject the initial data chunk but accept subsequent chunks before a connection reset completes. This results in a truncated badge ID string being registered. In setups with custom badge-ID post-processing, this truncated string can be converted into a valid badge ID of another user, allowing incorrect user login on the device.
Potential Impact
The primary impact is the potential for unauthorized session establishment on affected devices due to incorrect user login. This occurs when truncated badge ID strings are transformed into valid IDs of other users by custom post-processing scripts. Typically, the vulnerability leads to authentication failures, but in specific configurations, it can cause privilege misattribution. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented. Until a patch is available, organizations should review and potentially disable custom badge-ID post-processing scripts to mitigate the risk of incorrect user login resulting from truncated badge IDs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- PaperCut
- Date Reserved
- 2026-04-13T05:21:02.099Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f996efcbff5d8610d19726
Added to database: 5/5/2026, 7:06:23 AM
Last enriched: 5/5/2026, 7:21:48 AM
Last updated: 5/5/2026, 8:09:17 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.