CVE-2026-33529
Received Received - Intake
Authenticated Path Traversal in Zoraxy Allows Remote Code Execution

Publication date: 2026-03-26

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33529
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoraxy zoraxy to 3.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33529 is an authenticated path traversal vulnerability in the configuration import endpoint of Zoraxy versions prior to 3.3.2. This flaw allows an authenticated user to bypass sanitization of ZIP file entries during configuration import, enabling them to write arbitrary files outside the intended configuration directory.

The vulnerability arises because the sanitization method intended to prevent path traversal by removing "../" sequences can be bypassed by embedding these sequences within longer strings containing "./", leaving a "../" sequence intact. This allows an attacker to create or overwrite files outside the configuration directory.

Exploiting this, an attacker can write a malicious plugin directory and modify the entrypoint.py file, which can lead to remote code execution (RCE) after a manual container restart. The attack requires authentication and involves uploading a crafted ZIP file that contains the path traversal payload.

Impact Analysis

This vulnerability allows an authenticated user to write arbitrary files outside the intended configuration directory, which can lead to remote code execution (RCE) on the Zoraxy server.

If the Docker socket is mapped into the container, exploitation can escalate to a full host takeover, posing a severe security risk.

The attacker can create a persistent malicious plugin and modify the entrypoint script to execute arbitrary shell commands, potentially compromising the confidentiality and integrity of the system.

However, exploitation requires high privileges (authenticated user), high attack complexity, and manual container restart to activate the payload.

Detection Guidance

This vulnerability can be detected by monitoring and testing the configuration import endpoint for path traversal attempts. Specifically, the vulnerable endpoint is a POST request to /api/conf/import that accepts a ZIP file. Detection involves checking if crafted ZIP files containing path traversal sequences like conf/..././..././entrypoint.py can be uploaded and cause files to be written outside the intended configuration directory.

A practical detection method is to attempt an authenticated POST request to /api/conf/import with a specially crafted ZIP file containing path traversal payloads. Observing whether files are created outside the configuration directory or if the entrypoint.py file is modified can confirm exploitation.

Suggested commands include using curl or similar tools to authenticate and upload a crafted ZIP file. For example, a Python script (as demonstrated in the proof of concept) can automate this process by extracting CSRF tokens, logging in, exporting configuration, modifying the ZIP with path traversal payloads, and importing it back.

  • Use curl or HTTP client to POST a crafted ZIP file to /api/conf/import after authentication.
  • Check for unexpected files outside the config directory, such as /opt/zoraxy/plugin/evil/start.sh or modified entrypoint.py.
  • Monitor for creation of files like /tmp/pwned.txt which may indicate successful code execution.
  • Review logs for suspicious import activity or errors related to ZIP file structure.
Mitigation Strategies

The immediate and most effective mitigation is to upgrade Zoraxy to version 3.3.2 or later, where the vulnerability is patched by replacing the vulnerable Web File Manager API with a secure WebDAV Server implementation and improving path sanitization.

Until the upgrade can be applied, restrict access to the configuration import endpoint to trusted and authenticated users only, as exploitation requires authentication with high privileges.

Additionally, monitor and audit any configuration import activities for suspicious ZIP files or unexpected file writes outside the configuration directory.

If exploitation is suspected, manually restart the Zoraxy container to clear any malicious entrypoint modifications, as the container does not automatically restart upon configuration import.

  • Upgrade Zoraxy to version 3.3.2 or later.
  • Limit access to the configuration import API to trusted authenticated users.
  • Audit import logs and file system for unauthorized changes.
  • Manually restart the container if exploitation is suspected.
Compliance Impact

The provided information does not explicitly address how the vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33529. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart