{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21409", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2025-12-24T07:24:57.904Z", "datePublished": "2026-01-09T07:15:52.994Z", "dateUpdated": "2026-01-09T18:11:55.373Z"}, "containers": {"cna": {"affected": [{"vendor": "Ricoh Company, Ltd.", "product": "RICOH Streamline NX", "versions": [{"version": "3.5.1 to 24R3", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved."}], "problemTypes": [{"descriptions": [{"description": "Authorization bypass through user-controlled key", "lang": "en-US", "cweId": "CWE-639", "type": "CWE"}]}], "references": [{"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000011"}, {"url": "https://jvn.jp/en/jp/JVN12770174/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-01-09T07:15:52.994Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T18:11:32.736478Z", "id": "CVE-2026-21409", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:11:55.373Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T18:11:32.736478Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:11:50.599Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Ricoh Company, Ltd.", "product": "RICOH Streamline NX", "versions": [{"status": "affected", "version": "3.5.1 to 24R3"}]}], "references": [{"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000011"}, {"url": "https://jvn.jp/en/jp/JVN12770174/"}], "descriptions": [{"lang": "en", "value": "Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-639", "description": "Authorization bypass through user-controlled key"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-01-09T07:15:52.994Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21409", "state": "PUBLISHED", "dateUpdated": "2026-01-09T18:11:55.373Z", "dateReserved": "2025-12-24T07:24:57.904Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-01-09T07:15:52.994Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved."}, {"lang": "es", "value": "Existe una vulnerabilidad de autorizaci\u00f3n impropia en RICOH Streamline NX 3.5.1 a 24R3. Si se realiza un ataque man-in-the-middle en la comunicaci\u00f3n entre el producto afectado y su usuario, y el producto procesa alguna solicitud manipulada, la informaci\u00f3n de registro del usuario y/o los tokens OIDC (OpenID Connect) pueden ser recuperados."}], "id": "CVE-2026-21409", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-01-09T08:15:58.297", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN12770174/"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000011"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:25:28.174112+00:00", "value": {"mitigation_remediation": ["Upgrade the device firmware to a version that includes the fix for the improper authorization bug, as released by Ricoh.", "If a patch is not yet available, isolate the device from untrusted networks or enforce secure transport (e.g., TLS, VPN) so that a man\u2011in\u2011the\u2011middle cannot intercept traffic.", "Implement monitoring for anomalous requests or unauthorized token disclosures on the network connecting to the device to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected systems are the Ricoh Company, Ltd. RICOH Streamline NX devices running firmware versions 3.5.1 to 24R3.", "description_and_impact": "RICOH\u2019s Streamline NX firmware versions 3.5.1 through 24R3 contain an improper authorization flaw that allows an attacker able to conduct a man\u2011in\u2011the\u2011middle attack on the device\u2019s communication channel to craft special requests. When these requests are processed, the device may expose the user\u2019s registration data and OIDC tokens. This vulnerability is classified as CWE\u2011639 and permits disclosure of sensitive credentials without requiring any legitimate local or remote administrative access.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.2, indicating high severity, but its EPSS score is less than 1%, suggesting that exploitation attempts are currently rare and would need a successful man\u2011in\u2011the\u2011middle position. The vulnerability is not listed in the CISA KEV catalog, indicating that there are no publicly known, actively employed exploits. Attackers would need to intercept traffic between a user and the device, then send crafted requests that bypass the improper authorization checks to retrieve sensitive information."}}}}, "created": "2026-01-09T13:23:33.952010+00:00", "title": "Improper Authorization Allows Retrieval of User Registration Information and OIDC Tokens via Man\u2011in\u2011the\u2011Middle", "updated": "2026-04-18T07:30:36.034132+00:00", "vendors": ["ricoh", "ricoh$PRODUCT$streamline_nx"]}