FKIE_CVE-2026-33528

Vulnerability from fkie_nvd - Published: 2026-03-26 20:16 - Updated: 2026-06-17 10:37
Summary
GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.
Impacted products
Vendor Product Version
godoxy godoxy *

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "godoxy",
          "vendor": "yusing",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.27.5"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:godoxy:godoxy:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "1505EC25-9DA1-4B84-A1B4-EA519A33AB71",
              "versionEndExcluding": "0.27.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container\u0027s UID. Version 0.27.5 fixes the issue."
    },
    {
      "lang": "es",
      "value": "GoDoxy es un proxy inverso y orquestador de contenedores para autoalojadores. Antes de la versi\u00f3n 0.27.5, el endpoint de la API de contenido de archivos en \u0027/api/v1/file/content\u0027 es vulnerable a salto de ruta. El par\u00e1metro de consulta \u0027filename\u0027 se pasa directamente a \u0027path.Join(common.ConfigBasePath, filename)\u0027 donde \u0027ConfigBasePath = \"config\"\u0027 (una ruta relativa). No se aplica ninguna sanitizaci\u00f3n ni validaci\u00f3n m\u00e1s all\u00e1 de verificar que el campo no est\u00e9 vac\u00edo (\u0027binding:\"required\"\u0027). Un atacante autenticado puede usar secuencias \u0027../\u0027 para leer o escribir archivos fuera del directorio \u0027config/\u0027 previsto, incluyendo claves privadas TLS, tokens de actualizaci\u00f3n de OAuth y cualquier archivo accesible al UID del contenedor. La versi\u00f3n 0.27.5 soluciona el problema."
    }
  ],
  "id": "CVE-2026-33528",
  "lastModified": "2026-06-17T10:37:39.437",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-33528",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-03-27T13:45:54.133084Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-03-26T20:16:14.913",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…