CVE-2026-33528
Received Received - Intake
Path Traversal in GoDoxy File Content API Allows Sensitive Data Access

Publication date: 2026-03-26

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33528
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
godoxy godoxy to 0.27.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated attacker to read or write arbitrary files accessible by the container's user ID, including sensitive files such as TLS private keys and OAuth refresh tokens. This unauthorized access and potential disclosure of sensitive data can lead to impersonation, account takeover, and information disclosure.

Such unauthorized access to sensitive information can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.

Executive Summary

CVE-2026-33528 is a path traversal vulnerability in the GoDoxy project's file content API endpoint at `/api/v1/file/content`. The vulnerability arises because the `filename` query parameter is directly passed to a path joining function without proper sanitization or validation, allowing an authenticated attacker to use sequences like `../` to escape the intended `config/` directory.

This flaw enables attackers to read or write files outside the designated directory, including sensitive files such as TLS private keys, OAuth refresh tokens, and other files accessible to the container's user ID.

The issue was fixed in version 0.27.5 by restricting file access strictly to the application root directory using secure file opening methods that prevent directory traversal.

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure and modification of sensitive files within the container environment.

  • An attacker with authentication can read sensitive files such as TLS private keys, OAuth refresh tokens, and system certificates.
  • Attackers can write arbitrary files outside the intended directory, potentially injecting malicious configuration files that could alter application behavior.
  • These actions can lead to impersonation of the GoDoxy server, account takeover, and information disclosure.
Detection Guidance

This vulnerability can be detected by attempting to access files outside the intended directory via the vulnerable API endpoint `/api/v1/file/content` using path traversal sequences like `../` in the `filename` query parameter.

For example, an authenticated user can try sending a GET request to read sensitive files outside the `config/` directory, such as TLS private keys or OAuth tokens.

A sample command using curl to test for the vulnerability is:

  • curl -i -H "Cookie: godoxy_token=<JWT>" "http://<host>:<port>/api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem"

If the server responds with the contents of the targeted file, the system is vulnerable.

Additionally, attempts to write files outside the intended directory can be tested using the PUT method on the same endpoint with path traversal sequences in the filename.

Mitigation Strategies

The immediate mitigation step is to upgrade GoDoxy to version 0.27.5 or later, where the vulnerability is fixed.

Version 0.27.5 includes a fix that restricts file access strictly to the application root directory by using the `os.OpenRoot` function, preventing path traversal attacks.

Additionally, the update enhances CSRF protection which strengthens overall security.

If upgrading immediately is not possible, restrict access to the vulnerable API endpoint to trusted users only and monitor for suspicious requests containing path traversal patterns.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart