CVE-2026-3839
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in Unraid auth-request.php Enables Authentication Bypass

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: Zero Day Initiative

Description
Unraid Authentication Request Path Traversal Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Unraid. Authentication is not required to exploit this vulnerability. The specific flaw exists within the auth-request.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in authentications. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28912.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3839
EUVD
EUVD-2026-12168
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unraid unraid 7.2.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3839 is an authentication bypass vulnerability in Unraid. It occurs because the auth-request.php file does not properly validate a user-supplied path before using it in the authentication process. This flaw allows remote attackers to bypass authentication without needing any privileges or user interaction.

Impact Analysis

This vulnerability allows an attacker to bypass authentication on affected Unraid systems remotely. As a result, unauthorized users can gain access to the system without credentials, potentially leading to unauthorized access to sensitive data, system control, and further exploitation.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update your Unraid installation to version 7.2.4 or later, where the issue in auth-request.php has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart