Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Suprema's BioStar

Posted date 29/05/2026
Identificador
INCIBE-2026-389
Importance
5 - Critical
Affected Resources

The following versions of BioStar 2 (Server) are affected:

  • from version v2.9.3 through v2.9.11 (CVE-2026-9508);
  • versions v2.9.11, v2.9.10, and v2.9.8 (CVE-2026-9509).
Description

INCIBE has coordinated the disclosure of two vulnerabilities—one critical and one high severity—affecting Suprema’s BioStar, a comprehensive security software and hardware platform. The vulnerabilities were discovered by Jordi Garcia Ribera.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

  • CVE-2026-9508: CVSS v4.0: 9.8 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L | CWE-732
  • CVE-2026-9509 CVSS v4.0: 8.2 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/S:C/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H | CWE-248
Solution

The vulnerabilities have been fixed by the Suprema team. We recommend updating to the latest available version.

Detail
  • CVE-2026-9508: incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.
  • CVE-2026-9509: an unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-9508 Crítica No Suprema
CVE-2026-9509 Alta No Suprema
References list
BioStar 2
Etiquetas