CVE-2026-30345
Zip Slip Vulnerability in CTFd Admin Import Allows Arbitrary File Write
Publication date: 2026-03-18
Last updated on: 2026-04-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ctfd | ctfd | to 3.8.1-18-gdb5a18c4 (exc) |
| ctfd | ctfd | From 3.8.2 (exc) |
| ctfd | ctfd | to 3.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30345 is a zip slip vulnerability in the Admin import functionality of CTFd versions prior to 3.8.2. It allows a malicious admin user to supply a specially crafted zip file during import, which can write arbitrary files outside the intended directories.
This arbitrary file write can lead to further exploitation such as arbitrary code execution depending on the deployment environment and configuration.
Specifically, the vulnerability affects the backup import functionality and can be exploited to create persistent backdoors, for example by modifying the .bashrc file to execute malicious code whenever a new shell session starts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker with admin access to write arbitrary files on the system running CTFd, potentially leading to arbitrary code execution.
If the CTFd instance is running with elevated privileges (such as root), the attacker can create persistent backdoors that survive container restarts and remain on the host system.
This can compromise the integrity and security of the system, allowing unauthorized control and potentially leading to further attacks or data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for unauthorized arbitrary file writes, especially the presence of suspicious files like a modified .bashrc that could act as a persistent backdoor.
One method is to inspect the filesystem for unexpected files created outside intended directories after an import operation in CTFd.
In containerized environments, you can check for the presence of the backdoor by opening a shell session inside the container and inspecting the .bashrc file.
- Use docker exec to open a shell in the running CTFd container: docker exec -it ctfd bash
- Inspect the .bashrc file for suspicious entries: cat ~/.bashrc
- Check for unexpected files created outside the intended import directories on the host or container filesystem.
Additionally, the provided proof of concept (PoC) Python script can be used in authorized testing environments to verify if the system is vulnerable by attempting the crafted import.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update CTFd to version 3.8.2 or later, where the vulnerability has been fixed.
If you are using the provided docker-compose.yml, ensure that the CTFd container does not run as the root user, as running as an unprivileged user reduces risk.
Hosted CTFd instances have already been updated and are not affected, so self-hosted users should promptly apply the update.
Avoid importing untrusted or specially crafted zip files until the update is applied.