ZI-SA-2026-001: Path Traversal Vulnerability in LabOne User Interface
| Publication Date: | 2026-04-22 |
| Last Update: | 2026-04-23 |
| Current Version: | V1.1 |
| CVSS v3.1 Base Score: | 7.5 |
| CVSS v4.0 Base Score: | 8.7 |
Summary
Internal security testing of the LabOne code has revealed a path traversal vulnerability in the LabOne Web Server, which backs the LabOne User Interface. The vulnerability could allow an unauthenticated attacker to read arbitrary files accessible to the operating system user running the LabOne software.
The vulnerability affects only configurations where the LabOne Web Server is running. Customers who exclusively use the LabOne APIs without starting the Web Server are not exposed.
No exploitation of this vulnerability has been reported. Zurich Instruments has released LabOne 26.01.3.9 to address this issue and strongly recommends that all customers update to the latest version.
Affected Products and Solution
| Affected Product and Versions | Remediation |
| LabOne: all versions prior to 26.01.3.9, affected by CVE-2026-6903 | Update to 26.01.3.9 or later version. The update can be applied directly through the LabOne software, or downloaded from the Zurich Instruments Download Center. See further recommendations in Workarounds and Mitigations. |
Note: Should you be bound to an earlier release of LabOne for compatibility reasons, please contact labone@zhinst.com.
Workarounds and Mitigations
Upgrading to LabOne 26.01.3.9 or later is the only complete remediation. For customers who cannot upgrade immediately, Zurich Instruments has identified the following workarounds and mitigations to reduce the risk.
The vulnerability can be exploited via two distinct attack vectors, listed below with the mitigations that address each. All applicable mitigations should be applied together.
Against a same-network attacker (an actor on the same network connecting directly to the LabOne Web Server):
- Configure a local firewall to limit access to the LabOne Web Server (default port 8006) to localhost only, preventing access from other hosts on the network.
- Operate systems running LabOne only within a dedicated, trusted laboratory network that is not connected to the general corporate network or the internet.
Against a malicious-website attacker (a user visits an untrusted website while the LabOne Web Server is running, and the website triggers the vulnerable behaviour through the user’s browser):
- Do not browse untrusted or unknown websites on systems where the LabOne Web Server is active. Where practical, dedicate the LabOne host to instrument control only and avoid general-purpose web browsing on it.
Additional risk reduction: For systems that cannot be upgraded, avoiding the storage of credentials, personal data, or sensitive research data on the LabOne host reduces the impact of a successful exploit.
Product-specific remediations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.
General Security Recommendations
As a general security measure, Zurich Instruments strongly recommends restricting network access to systems running affected versions of LabOne to trusted users and networks only. It is advised to follow recommended security practices in order to run the software in a protected IT environment until the update can be applied.
Product Description
LabOne is the instrument control software developed by Zurich Instruments. It consists of a Data Server that communicates with Zurich Instruments hardware devices and a Web Server that provides the LabOne User Interface, allowing users to configure instruments, run measurements, and manage data through a browser-based interface. LabOne also provides programmatic APIs that communicate directly with the Data Server and do not require the Web Server.
Vulnerability Description
This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory.
Vulnerability CVE-2026-6903
The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability to read arbitrary files on the host system that are accessible to the operating system user running the LabOne software.
Additionally, the Web Server does not sufficiently restrict cross-origin requests, which could allow a remote attacker to trigger file access from a victim's browser by directing the victim to a malicious website.
The vulnerability is only exploitable when the LabOne Web Server is running. Installations using only the LabOne APIs without starting the Web Server are not exposed.
| CVSS v3.1 Base Score | 7.5 |
| CVSS v3.1 Vector | |
| CVSS v4.0 Base Score | 8.7 |
| CVSS v4.0 Vector | |
| CWE |
|
Additional Information
For further inquiries on security vulnerabilities in Zurich Instruments products, please contact security@zhinst.com.
History Data
| V1.0 (2026-04-22): | Publication Date |
| V1.1 (2026-04-23): | Added CVE-2026-6903 identifier. |
Terms of Use
The use of Zurich Instruments Security Advisories is subject to the following terms and conditions. Zurich Instruments provides these advisories "as-is" and without warranty of any kind. In no event shall Zurich Instruments be liable for any damages arising from the use of this advisory. Zurich Instruments reserves the right to update or modify this advisory at any time.
ZI-SA-2026-001 — © Zurich Instruments 2026