GHSA-824X-88XG-CWRV

Vulnerability from github – Published: 2026-01-05 20:02 – Updated: 2026-01-08 20:07
VLAI?
Summary
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
Details

Summary

Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. image image

Details

The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories.
An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive.

Vulnerable code: - redaxo/src/addons/backup/pages/export.php (lines 72-76) – directly uses $_POST['EXPDIR'] - redaxo/src/addons/backup/lib/backup.php (lines ~413 & ~427) – concatenates unsanitized user input with base path

This allows disclosure of sensitive files such as: - redaxo/data/core/config.yml → database credentials + password hashes of all backend users - .env, custom configuration files, logs, uploaded malicious files, etc.

Affected versions

≤ 5.20.1 (confirmed working)

Patched versions

None (as of 2025-12-09)

PoC – Extracting database credentials and password hashes

  1. Log in as any user with Backup permission
  2. Go to Backup → Export → Files

image

  1. Intercept the request with Burp Suite

image

  1. Change one EXPDIR[] value to ../../../../var/www/html/redaxo/data/core

image

  1. Send request → download archive image

  2. Extract and open data/core/config.yml image

Result: plaintext database password image

Impact

Full compromise of the REDAXO installation: - Database takeover - Password hash extraction → offline cracking → admin access - When combined with other vulnerabilities → RCE

CVSS 4.0 vector & score below.

Credits

Discovered by: Łukasz Rybak

Severity ?
8.3 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.20.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "redaxo/source"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.20.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T20:02:58Z",
    "nvd_published_at": "2026-01-07T23:15:50Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAuthenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon\u0027s file export functionality.\n\u003cimg width=\"664\" height=\"899\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5\" /\u003e\n\u003cimg width=\"2358\" height=\"445\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb\" /\u003e\n\n\n### Details\nThe Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories.  \nAn attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive.\n\nVulnerable code:\n- `redaxo/src/addons/backup/pages/export.php` (lines 72-76) \u2013 directly uses `$_POST[\u0027EXPDIR\u0027]`\n- `redaxo/src/addons/backup/lib/backup.php` (lines ~413 \u0026 ~427) \u2013 concatenates unsanitized user input with base path\n\nThis allows disclosure of sensitive files such as:\n- `redaxo/data/core/config.yml` \u2192 database credentials + password hashes of all backend users\n- `.env`, custom configuration files, logs, uploaded malicious files, etc.\n\n### Affected versions\n\u2264 5.20.1 (confirmed working)\n\n### Patched versions\nNone (as of 2025-12-09)\n\n### PoC \u2013 Extracting database credentials and password hashes\n1. Log in as any user with Backup permission\n2. Go to Backup \u2192 Export \u2192 Files\n\n\u003cimg width=\"1240\" height=\"960\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bc05ba18-9664-4be2-b637-4fec3a0f409a\" /\u003e\n\n3. Intercept the request with Burp Suite \n\n\u003cimg width=\"2184\" height=\"478\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9fa754a1-2cd0-4d3d-a5cc-cfa34c8a1718\" /\u003e\n\n4. Change one `EXPDIR[]` value to `../../../../var/www/html/redaxo/data/core`\n\n\u003cimg width=\"978\" height=\"591\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d15f5c7f-b72c-44cc-9be2-da8d3f26f124\" /\u003e\n\n5. Send request \u2192 download archive\n\u003cimg width=\"423\" height=\"131\" alt=\"image\" src=\"https://github.com/user-attachments/assets/db8a8bda-cdaf-4dea-812f-1e312da908e2\" /\u003e\n\n6. Extract and open `data/core/config.yml`\n\u003cimg width=\"859\" height=\"281\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c8112ce1-5a1d-435f-953b-7eb4e711e042\" /\u003e\n\nResult: plaintext database password \n\u003cimg width=\"2534\" height=\"1198\" alt=\"image\" src=\"https://github.com/user-attachments/assets/218ae917-868a-437e-98b0-6471b82c0b10\" /\u003e\n\n### Impact\nFull compromise of the REDAXO installation:\n- Database takeover\n- Password hash extraction \u2192 offline cracking \u2192 admin access\n- When combined with other vulnerabilities \u2192 RCE\n\nCVSS 4.0 vector \u0026 score below.\n\n### Credits\nDiscovered by: \u0141ukasz Rybak",
  "id": "GHSA-824x-88xg-cwrv",
  "modified": "2026-01-08T20:07:42Z",
  "published": "2026-01-05T20:02:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21857"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/redaxo/redaxo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redaxo/redaxo/releases/tag/5.20.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.