CVE-2026-1433 PUBLISHED

uniFLOW Universal Login Manager (ULM) Standalone Improper Protection of Sensitive Information Leads to Information Disclosure

Assigner: Canon_EMEA
Reserved: 26.01.2026 Published: 06.07.2026 Updated: 06.07.2026

uniFLOW Universal Login Manager (ULM) Standalone contains an information disclosure vulnerability that may allow an authenticated administrator to access sensitive configuration information through the ULM Remote User Interface (RUI). Exploitation requires administrative privileges and may disclose configuration data associated with SMTP or LDAP integrations. ULM deployments connected to uniFLOW Server or uniFLOW Online are not affected.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
CVSS Score: 4.8

Product Status

Vendor NT-ware
Product uniFLOW ULM (Universal Login Manager) Standalone
Versions Default: unaffected
  • affected from 0 to 5.10 (incl.)

Credits

  • Sam Shepherd working with BAE Systems reporter

References

Problem Types

  • CWE-522: Insufficiently Protected Credentials CWE

Impacts

  • Not applicable