CVE-2026-33054
Received Received - Intake
Path Traversal in Mesop UI Framework Causes File Manipulation

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33054
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mesop-dev mesop to 1.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33054 is a critical Path Traversal vulnerability in the Mesop Python-based UI framework, specifically affecting versions 1.2.2 and below. The vulnerability exists in the FileStateSessionBackend component, which handles disk-based session storage. It arises because the application accepts an untrusted state_token parameter from the UI stream payload without proper validation. This token is used to construct file paths on the server.'}, {'type': 'paragraph', 'content': 'An attacker can supply a crafted state_token containing path traversal sequences (such as "../../") to escape the intended session storage directory and access arbitrary files on the host filesystem. This can lead to unauthorized reading, writing, or deletion of files outside the application\'s scope.'}, {'type': 'paragraph', 'content': 'The vulnerability can cause application denial of service by triggering crash loops when the application tries to parse non-msgpack files as configurations, or allow arbitrary file manipulation by malicious actors. The issue was fixed in version 1.2.3 by adding strict token validation and path resolution checks to prevent directory traversal.'}] [1, 2]

Impact Analysis

This vulnerability can have severe impacts including:

  • Unauthorized access to sensitive files on the server by exploiting path traversal sequences in the state_token.
  • Arbitrary file manipulation such as overwriting or deleting critical service resources outside the application boundaries.
  • Denial of service caused by application crash loops when it attempts to read invalid configuration files.
  • Remote exploitation without any privileges or user interaction, making it easy for attackers to compromise the system.

Overall, the vulnerability can lead to complete compromise of confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious or malicious state_token values being sent to the /ui endpoint of the Mesop application. Specifically, look for tokens containing path traversal sequences such as "../" or other unexpected characters outside the base64url alphabet.'}, {'type': 'paragraph', 'content': 'One practical approach is to capture network traffic or application logs to identify requests with unusual or malformed state_token parameters.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts could include:'}, {'type': 'list_item', 'content': 'Using tcpdump or tshark to filter HTTP requests containing suspicious tokens:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'state_token=.*(\\.\\./|\\s|\\0)'"}, {'type': 'list_item', 'content': 'Using grep on application logs to find invalid tokens containing path traversal patterns:'}, {'type': 'list_item', 'content': "grep -E 'state_token=.*(\\.\\./|\\s|\\0)' /path/to/mesop/logs/*"}, {'type': 'paragraph', 'content': 'Additionally, after patching, the application raises exceptions for invalid tokens, so monitoring logs for "MesopException" errors with messages like "Invalid state token." can help detect exploitation attempts.'}] [1, 2]

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the Mesop package to version 1.2.3 or later, where the vulnerability has been fixed.

This update includes strict validation of the state_token parameter, rejecting tokens with invalid characters or path traversal sequences, and ensures file paths are confined within the intended base directory.

If upgrading immediately is not possible, consider implementing network-level protections such as firewall rules or web application firewall (WAF) filters to block requests containing suspicious state_token values with path traversal patterns.

Also, monitor application logs for exceptions related to invalid tokens and unusual file access patterns to detect and respond to exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33054. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart