CVE-2026-25525
Received Received - Intake
Path Traversal in OpenMage LTS Dataflow Allows Arbitrary File Read

Publication date: 2026-04-20

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace('../', '', $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem. Version 20.17.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25525
EUVD
EUVD-2026-23891
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openmage magento to 20.17.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated administrator to read arbitrary files on the server filesystem, including sensitive configuration files such as database credentials and environment files.

Such unauthorized access to sensitive data can lead to data breaches, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could compromise confidentiality and lead to non-compliance with these regulations.

Executive Summary

CVE-2026-25525 is a path traversal vulnerability in the Dataflow module of OpenMage Long Term Support (LTS), an unofficial community-driven version of Magento. The module tries to prevent path traversal by removing '../' sequences from file path inputs using a simple string replacement. However, this filter is weak and can be bypassed using crafted input patterns like '..././' or '....//', which still resolve to '../' after filtering.

An authenticated administrator can exploit this flaw to read arbitrary files on the server filesystem by manipulating the file path parameter when importing data files. This allows access to sensitive files such as system password files, configuration files, and database credentials.

Impact Analysis

If exploited, this vulnerability allows an attacker with administrator privileges to read any file on the server filesystem. This can lead to exposure of sensitive information such as system user data (/etc/passwd), database credentials (app/etc/local.xml), environment variables (.env files), and other critical configuration or log files.

Such unauthorized access can compromise the confidentiality of the system, potentially enabling further attacks or data breaches. However, the attacker must already have admin access to the Magento admin panel to exploit this vulnerability.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious activity in the Dataflow module of OpenMage LTS, especially attempts to exploit path traversal via crafted file path parameters.

Since exploitation requires authenticated administrator access, detection involves auditing admin actions related to Dataflow import profiles.

  • Check web server logs for requests to the Dataflow import functionality containing suspicious patterns like '..././' or '....//' in the 'files' parameter.
  • Use grep or similar commands on server logs to find such patterns, for example: grep -E "files=.*(\.\.\/|\.\.\/\.\/|\.\.\.\/\/\/).*" /path/to/access.log
  • Audit recent changes or executions of Dataflow import profiles in the Magento admin panel.
  • Monitor filesystem access logs or use tools like auditd to detect reads of sensitive files (e.g., /etc/passwd, app/etc/local.xml) triggered by the web server user.
Mitigation Strategies

Immediate mitigation steps include restricting access and applying workarounds until the official patch can be applied.

  • Restrict the Dataflow module access strictly to trusted administrators.
  • Disable the Dataflow module if it is not in use.
  • Use Web Application Firewalls (WAFs) to block requests containing path traversal patterns such as '..././' or '....//'.
  • Enforce strict filesystem permissions for the web server user to limit access to sensitive files.
  • Monitor administrator activity for suspicious Dataflow profile executions.

The definitive fix is to update OpenMage LTS to version 20.17.0 or later, where the vulnerable code is patched by replacing the weak str_replace filter with PHP's basename() function to prevent path traversal.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart