CVE-2026-41180 is a high-severity vulnerability affecting PsiTransfer, an open-source, self-hosted file sharing solution. The vulnerability stems from the upload PATCH flow under `/files/:uploadId`, which does not properly validate the request path. Specifically, it uses the still-encoded `req.path` for validation but later writes using the decoded `req.params.uploadId`. This flaw allows unauthenticated attackers to create a configuration file in the application root that can be executed on subsequent process restarts.
The vulnerability has been assigned a CVSS score of 7.5, indicating a high severity. The attack vector is network-based, requiring user interaction, and it has a high attack complexity. This means that while exploitation is possible, it may require a more sophisticated approach. Given the potential impacts on confidentiality, integrity, and availability, organizations must take this threat seriously.
Organizations should prioritize patching immediately as version 2.4.3 of PsiTransfer contains a fix for this vulnerability. The urgency for remediation is underscored by the risk to organizations, which includes unauthorized access and possible execution of malicious code.
Currently, there are no known exploits in the wild for this vulnerability, but the potential for exploitation exists, especially in environments where the application is improperly configured. Organizations must remain vigilant and ensure that they are running the latest version of the software.
Vulnerability Details
The official description of CVE-2026-41180 notes that this vulnerability allows for the creation of a file named `config.<NODE_ENV>.js` in the application root when certain conditions are met. The affected versions are those prior to 2.4.3, which has been patched.
The vulnerability has been classified under CWE-22, indicating a path traversal issue. The CVSS vector string for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, which highlights the potential for significant impact across confidentiality, integrity, and availability.
Technical Analysis
The root cause of this vulnerability lies in how PsiTransfer validates input for file uploads. The use of the encoded `req.path` for validation, followed by the decoding of `req.params.uploadId`, creates a gap that attackers can exploit. The attack vector is network-based, requiring user interaction to trigger the vulnerability. The complexity of the attack is categorized as high, meaning that attackers may need specific knowledge about the system to successfully exploit this vulnerability.
Successful exploitation could lead to unauthorized code execution, with a high impact on confidentiality, integrity, and availability of the affected systems.
Risk & Impact Analysis
Risk to organizations includes potential unauthorized access to sensitive configurations and execution of arbitrary code, which could lead to broader system compromise. The blast radius could extend to any organization utilizing affected versions of PsiTransfer, particularly those with custom configurations that align with the vulnerability's exploit vectors.
Given the CVSS score of 7.5, organizations should address this vulnerability in their priority patch cycle. The potential for exploitation in misconfigured environments heightens the urgency for immediate action.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions prior to 2.4.3 are affected by this vulnerability. Organizations running earlier versions should prioritize upgrading to the latest version to mitigate this risk.
Mitigation & Remediation
Organizations must upgrade to version 2.4.3 of PsiTransfer, which contains the necessary patch to remediate this vulnerability. If immediate patching is not possible, organizations should consider implementing configuration hardening techniques to restrict file upload paths, as well as monitoring for any unauthorized file creations. For ongoing security, organizations can engage in penetration testing to validate their defenses.
Detection Guidance
To detect potential exploitation attempts for this vulnerability, organizations should monitor logs for unusual file creations, particularly in the application root directory. Additionally, behavioral anomalies in file upload processes should be investigated. Implementing network signatures that alert on unauthorized access attempts to the upload path can also bolster detection capabilities.
AppSecure Threat Intelligence Insight
The emergence of CVE-2026-41180 reflects ongoing concerns around file upload vulnerabilities in web applications. Such vulnerabilities can lead to severe consequences if left unaddressed, emphasizing the importance of rigorous security testing and validation processes. Security teams should prioritize addressing configuration management issues that can expose applications to similar risks. For further insights, organizations may find value in exploring our vulnerability management program and understanding the implications of file upload vulnerabilities through our detailed guides on penetration testing methodology and prevention strategies.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)