Zurich Instruments LabOne Web Server contains a path traversal vulnerability (CWE-22) caused by insufficient input validation in its file access functionality. An unauthenticated attacker can exploit this to read arbitrary files on the host system with the privileges of the OS user running LabOne. Furthermore, the Web Server lacks sufficient cross-origin request restrictions (CWE-346), which could allow remote attackers to induce file access through a victim's browser by directing them to malicious websites. The vulnerability is only exploitable when the LabOne Web Server component is active; API-only usage without the Web Server is not vulnerable. No official patch or remediation guidance is currently available from the vendor.

Successful exploitation allows an unauthenticated attacker to read arbitrary files on the host system with the operating system user's privileges running the LabOne software, potentially exposing sensitive information. The cross-origin request weakness could enable remote attackers to leverage victim browsers to access files without direct interaction with the LabOne Web Server. There is no indication of impact on integrity or availability. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should disable the LabOne Web Server component if not required, as installations using only LabOne APIs without the Web Server are not vulnerable. Additionally, restrict network access to the LabOne Web Server to trusted users and networks to reduce exposure. Monitor vendor channels for updates and apply official patches once released.