CVE-2026-33529
Authenticated Path Traversal in Zoraxy Allows Remote Code Execution
Publication date: 2026-03-26
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoraxy | zoraxy | to 3.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33529 is an authenticated path traversal vulnerability in the configuration import endpoint of Zoraxy versions prior to 3.3.2. This flaw allows an authenticated user to bypass sanitization of ZIP file entries during configuration import, enabling them to write arbitrary files outside the intended configuration directory.
The vulnerability arises because the sanitization method intended to prevent path traversal by removing "../" sequences can be bypassed by embedding these sequences within longer strings containing "./", leaving a "../" sequence intact. This allows an attacker to create or overwrite files outside the configuration directory.
Exploiting this, an attacker can write a malicious plugin directory and modify the entrypoint.py file, which can lead to remote code execution (RCE) after a manual container restart. The attack requires authentication and involves uploading a crafted ZIP file that contains the path traversal payload.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how the vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to write arbitrary files outside the intended configuration directory, which can lead to remote code execution (RCE) on the Zoraxy server.
If the Docker socket is mapped into the container, exploitation can escalate to a full host takeover, posing a severe security risk.
The attacker can create a persistent malicious plugin and modify the entrypoint script to execute arbitrary shell commands, potentially compromising the confidentiality and integrity of the system.
However, exploitation requires high privileges (authenticated user), high attack complexity, and manual container restart to activate the payload.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing the configuration import endpoint for path traversal attempts. Specifically, the vulnerable endpoint is a POST request to /api/conf/import that accepts a ZIP file. Detection involves checking if crafted ZIP files containing path traversal sequences like conf/..././..././entrypoint.py can be uploaded and cause files to be written outside the intended configuration directory.
A practical detection method is to attempt an authenticated POST request to /api/conf/import with a specially crafted ZIP file containing path traversal payloads. Observing whether files are created outside the configuration directory or if the entrypoint.py file is modified can confirm exploitation.
Suggested commands include using curl or similar tools to authenticate and upload a crafted ZIP file. For example, a Python script (as demonstrated in the proof of concept) can automate this process by extracting CSRF tokens, logging in, exporting configuration, modifying the ZIP with path traversal payloads, and importing it back.
- Use curl or HTTP client to POST a crafted ZIP file to /api/conf/import after authentication.
- Check for unexpected files outside the config directory, such as /opt/zoraxy/plugin/evil/start.sh or modified entrypoint.py.
- Monitor for creation of files like /tmp/pwned.txt which may indicate successful code execution.
- Review logs for suspicious import activity or errors related to ZIP file structure.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Zoraxy to version 3.3.2 or later, where the vulnerability is patched by replacing the vulnerable Web File Manager API with a secure WebDAV Server implementation and improving path sanitization.
Until the upgrade can be applied, restrict access to the configuration import endpoint to trusted and authenticated users only, as exploitation requires authentication with high privileges.
Additionally, monitor and audit any configuration import activities for suspicious ZIP files or unexpected file writes outside the configuration directory.
If exploitation is suspected, manually restart the Zoraxy container to clear any malicious entrypoint modifications, as the container does not automatically restart upon configuration import.
- Upgrade Zoraxy to version 3.3.2 or later.
- Limit access to the configuration import API to trusted authenticated users.
- Audit import logs and file system for unauthorized changes.
- Manually restart the container if exploitation is suspected.