CVE-2026-30345
Received Received - Intake
Zip Slip Vulnerability in CTFd Admin Import Allows Arbitrary File Write

Publication date: 2026-03-18

Last updated on: 2026-04-28

Assigner: MITRE

Description
A zip slip vulnerability in the Admin import functionality of CTFd v3.8.1-18-gdb5a18c4 allows attackers to write arbitrary files outside the intended directories via supplying a crafted import.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30345
EUVD
EUVD-2026-12868
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ctfd ctfd to 3.8.1-18-gdb5a18c4 (exc)
ctfd ctfd From 3.8.2 (exc)
ctfd ctfd to 3.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-30345 is a zip slip vulnerability in the Admin import functionality of CTFd versions prior to 3.8.2. It allows a malicious admin user to supply a specially crafted zip file during import, which can write arbitrary files outside the intended directories.

This arbitrary file write can lead to further exploitation such as arbitrary code execution depending on the deployment environment and configuration.

Specifically, the vulnerability affects the backup import functionality and can be exploited to create persistent backdoors, for example by modifying the .bashrc file to execute malicious code whenever a new shell session starts.

Impact Analysis

Exploitation of this vulnerability allows an attacker with admin access to write arbitrary files on the system running CTFd, potentially leading to arbitrary code execution.

If the CTFd instance is running with elevated privileges (such as root), the attacker can create persistent backdoors that survive container restarts and remain on the host system.

This can compromise the integrity and security of the system, allowing unauthorized control and potentially leading to further attacks or data breaches.

Detection Guidance

Detection of this vulnerability involves checking for unauthorized arbitrary file writes, especially the presence of suspicious files like a modified .bashrc that could act as a persistent backdoor.

One method is to inspect the filesystem for unexpected files created outside intended directories after an import operation in CTFd.

In containerized environments, you can check for the presence of the backdoor by opening a shell session inside the container and inspecting the .bashrc file.

  • Use docker exec to open a shell in the running CTFd container: docker exec -it ctfd bash
  • Inspect the .bashrc file for suspicious entries: cat ~/.bashrc
  • Check for unexpected files created outside the intended import directories on the host or container filesystem.

Additionally, the provided proof of concept (PoC) Python script can be used in authorized testing environments to verify if the system is vulnerable by attempting the crafted import.

Mitigation Strategies

The primary mitigation step is to update CTFd to version 3.8.2 or later, where the vulnerability has been fixed.

If you are using the provided docker-compose.yml, ensure that the CTFd container does not run as the root user, as running as an unprivileged user reduces risk.

Hosted CTFd instances have already been updated and are not affected, so self-hosted users should promptly apply the update.

Avoid importing untrusted or specially crafted zip files until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30345. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart