CVE-2026-33645
Authenticated Path Traversal in Fireshare 1.5.1 Allows Arbitrary File Write
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shaneisrael | fireshare | 1.5.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33645 allows authenticated attackers to write arbitrary files outside the intended upload directory due to a path traversal vulnerability. This unauthorized file write can violate data integrity and potentially enable further attacks depending on deployment context.
While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity violation and potential for unauthorized file manipulation could lead to non-compliance with regulations that require data integrity, access controls, and protection against unauthorized data modification.
Organizations using affected versions of Fireshare (1.5.1) may risk violating these standards if the vulnerability is exploited, especially if sensitive or regulated data is involved, until the issue is remediated by upgrading to version 1.5.2.
Can you explain this vulnerability to me?
CVE-2026-33645 is an authenticated path traversal vulnerability in Fireshare version 1.5.1, specifically in the chunked upload endpoint `/api/uploadChunked`.
The vulnerability occurs because the multipart form field `checkSum` is used directly to construct filesystem paths without any sanitization, normalization, or containment checks.
This allows an attacker who is authenticated to craft `checkSum` values containing path traversal sequences (like `../../../../tmp/poc.bin`), enabling them to write arbitrary files outside the intended upload directory to any writable location accessible by the Fireshare process.
The flaw violates file integrity and can potentially enable further attacks depending on the deployment context.
The issue was fixed in Fireshare version 1.5.2 by presumably adding proper path validation and containment checks.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to write arbitrary files to locations outside the intended upload directory, anywhere writable by the Fireshare process.
Such unauthorized file writes violate the integrity of the system and may enable follow-on attacks, such as placing malicious files in sensitive locations or manipulating application behavior.
Because the attacker only needs a valid user session (low privileges required), the risk is significant in environments where Fireshare is deployed.
The vulnerability has a CVSS v3.1 base score of 7.1 (High), indicating a serious impact on integrity and a low attack complexity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious authenticated requests to the `/api/uploadChunked` endpoint that include path traversal sequences in the `checkSum` multipart form field.
For example, look for requests where the `checkSum` value contains sequences like `../` or `../../` which indicate attempts to write files outside the intended upload directory.
You can use network monitoring tools or web server logs to search for such patterns.
- Use grep or similar tools on server logs to find suspicious uploads: `grep -r --include="*.log" "checkSum=.*\.\.\/" /var/log/fireshare/`
- Inspect HTTP requests with tools like Wireshark or a web application firewall (WAF) to detect multipart form data containing path traversal sequences in the `checkSum` field.
- If you have access to the Fireshare server, check the filesystem for unexpected `.partNNNN` files outside the upload directory, especially in writable locations like `/tmp`.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Fireshare to version 1.5.2 or later, where this vulnerability has been fixed by adding proper path validation and containment checks.
If upgrading immediately is not possible, restrict access to the `/api/uploadChunked` endpoint to trusted authenticated users only and monitor for suspicious activity.
Additionally, consider implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block requests containing path traversal patterns in the `checkSum` field.
Review and restrict filesystem permissions to limit writable locations accessible by the Fireshare process, reducing the impact of potential exploitation.