CVE-2025-69907 - Newgen OmniDocs Unauthenticated Information Disclosure Executive Summary An unauthenticated information disclosure vulnerability was identified in Newgen OmniDocs due to missing authentication and access control on the API endpoint. A remote unauthenticated attacker can access this endpoint to retrieve sensitive internal configuration information, including cabinet identifiers and database-related metadata, which may facilitate further targeted attacks. Vulnerability Details Vulnerability Type: Unauthenticated Information Disclosure CWE: CWE-284 — Improper Access Control OWASP API Top 10: API1:2023 — Broken Object Level Authorization Attack Vector: Network Privileges Required: None User Interaction: None Affected Product: Newgen OmniDocs Affected Version: 11.0 Affected Component: - Web API Endpoint: CVSS v3.1 The following CVSS score is assigned based on impact and exploitability and aligns with MITRE/NVD scoring methodology. Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Severity: High Note: The official CVSS score may be updated by NVD after public CVE publication. Proof of Concept (PoC) - Step by Step The following steps reproduce the issue. These steps were executed in a controlled test environment. 1. Access the API endpoint without authentication: Send an unauthenticated HTTP POST request to: - The provided screenshot displays the unauthenticated HTTP POST request headers and the response, which includes internal configuration details like cabinet names and types.