CVE-2026-1616
Path Traversal in OSIM nginx Config via Query Parameters
Publication date: 2026-01-29
Last updated on: 2026-03-10
Assigner: redhat-cnalr
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | open_security_issue_management | to 2025.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-1616 is a path traversal attack in NGINX configurations caused by the concatenation of `$uri$args`. This allows attackers to manipulate query parameters to perform unauthorized path traversal, potentially accessing files or directories outside the intended scope. The issue arises because the `$uri$args` concatenation improperly handles query parameters, enabling this attack vector. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access unauthorized files or directories on the server by exploiting the path traversal via query parameters. However, in this specific case, the affected NGINX instance runs inside a container as a non-root user (UID 999), which limits the potential impact. Additionally, the tool is internal and accessible only to authorized users, and no sensitive data is present in the affected environment, further reducing risk. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, remove the use of `$args` from the NGINX configuration file where `$uri$args` concatenation is used. This prevents path traversal attacks via query parameters. Applying the fix as implemented in the referenced pull request (#615) is recommended, which involves updating the NGINX configuration to exclude `args`. Additionally, ensure your NGINX instance is running with least privilege, such as a non-root user, to limit impact. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows path traversal attacks via query parameters, but the affected environment is internal, accessible only to authorized users, and confirmed to contain no sensitive data. Therefore, the vulnerability does not directly impact compliance with standards like GDPR or HIPAA in this context. [1]