CVE-2026-35097 PUBLISHED

Weak Password Requirements in KTM System e-BOK

Assigner: CERT-PL
Reserved: 01.04.2026 Published: 30.06.2026 Updated: 30.06.2026

KTM System e-BOK enforces a maximum password length of six numeric digits and does not permit the use of any alphabetic, special, or extended characters.

This issue was fixed in the patch published in June 2026.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor KTM System
Product e-BOK
Versions Default: unaffected
  • affected from 0 to 06.2026 (excl.)

Credits

  • Jacek Korta finder

References

Problem Types

  • CWE-521: Weak Password Requirements CWE

Impacts

  • CAPEC-49 Password Brute Forcing