CVE-2026-33528
Path Traversal in GoDoxy File Content API Allows Sensitive Data Access
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| godoxy | godoxy | to 0.27.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to read or write arbitrary files accessible by the container's user ID, including sensitive files such as TLS private keys and OAuth refresh tokens. This unauthorized access and potential disclosure of sensitive data can lead to impersonation, account takeover, and information disclosure.
Such unauthorized access to sensitive information can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.
Can you explain this vulnerability to me?
CVE-2026-33528 is a path traversal vulnerability in the GoDoxy project's file content API endpoint at `/api/v1/file/content`. The vulnerability arises because the `filename` query parameter is directly passed to a path joining function without proper sanitization or validation, allowing an authenticated attacker to use sequences like `../` to escape the intended `config/` directory.
This flaw enables attackers to read or write files outside the designated directory, including sensitive files such as TLS private keys, OAuth refresh tokens, and other files accessible to the container's user ID.
The issue was fixed in version 0.27.5 by restricting file access strictly to the application root directory using secure file opening methods that prevent directory traversal.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized disclosure and modification of sensitive files within the container environment.
- An attacker with authentication can read sensitive files such as TLS private keys, OAuth refresh tokens, and system certificates.
- Attackers can write arbitrary files outside the intended directory, potentially injecting malicious configuration files that could alter application behavior.
- These actions can lead to impersonation of the GoDoxy server, account takeover, and information disclosure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access files outside the intended directory via the vulnerable API endpoint `/api/v1/file/content` using path traversal sequences like `../` in the `filename` query parameter.
For example, an authenticated user can try sending a GET request to read sensitive files outside the `config/` directory, such as TLS private keys or OAuth tokens.
A sample command using curl to test for the vulnerability is:
- curl -i -H "Cookie: godoxy_token=<JWT>" "http://<host>:<port>/api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem"
If the server responds with the contents of the targeted file, the system is vulnerable.
Additionally, attempts to write files outside the intended directory can be tested using the PUT method on the same endpoint with path traversal sequences in the filename.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade GoDoxy to version 0.27.5 or later, where the vulnerability is fixed.
Version 0.27.5 includes a fix that restricts file access strictly to the application root directory by using the `os.OpenRoot` function, preventing path traversal attacks.
Additionally, the update enhances CSRF protection which strengthens overall security.
If upgrading immediately is not possible, restrict access to the vulnerable API endpoint to trusted users only and monitor for suspicious requests containing path traversal patterns.