CVE-2026-23877
Directory Traversal in Swing Music Allows Arbitrary File Access
Publication date: 2026-01-19
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| swingmx | swing_music | to 2.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-25 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/../" sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23877 is a directory traversal vulnerability in the Swing Music application prior to version 2.1.4. It exists in the `list_folders()` function of the `/folder/dir-browser` endpoint, which lacks proper path validation and authorization checks. This flaw allows any authenticated user, including non-admins, to browse arbitrary directories on the server filesystem by exploiting improper handling of directory paths, such as using `../` sequences to traverse outside intended directories. [2]
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure by allowing attackers to access sensitive server filesystem structures, configuration files, user account names, software versions, installed packages, log files, and system paths. It can also facilitate further attacks like Local File Inclusion (LFI) or Remote Code Execution (RCE) by bypassing access controls and exposing sensitive directories. Exploitation requires only low privileges (any authenticated user) and no user interaction, making it a moderate severity risk. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the directory traversal flaw in the `/folder/dir-browser` POST API endpoint of Swing Music versions prior to 2.1.4. For example, an authenticated user can send a POST request with a JSON payload specifying a folder path containing directory traversal sequences like `/music/../proc/self/`. If the server responds with directory listings from unintended locations such as `/proc/self`, it indicates the vulnerability is present. A sample curl command to test this could be: curl -X POST -H "Content-Type: application/json" -d '{"folder": "/music/../proc/self/"}' http://<server-address>/folder/dir-browser If the response includes directory entries like `attr`, `cwd`, `fd`, etc., the system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Swing Music to version 2.1.4 or later, where the issue is fixed. The fix includes strict path validation that ensures all file system accesses remain within user-configured root directories, preventing directory traversal. Additionally, access to the vulnerable `list_folders()` function is restricted to admin users only. If upgrading is not immediately possible, restrict access to the `/folder/dir-browser` endpoint to trusted users and monitor for suspicious requests attempting directory traversal sequences. Implementing network-level controls to limit access to the application and applying strict input validation on paths can also help mitigate the risk. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user to browse arbitrary directories on the server filesystem, potentially exposing sensitive information such as configuration files, user account names, software versions, installed packages, log file locations, and system paths. This unauthorized access and information disclosure could lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate protection of sensitive data and proper access controls. Therefore, the vulnerability negatively impacts compliance by enabling unauthorized data exposure and weakening access control mechanisms. [2]