Compliance Impact

The vulnerability allows attackers to read arbitrary files on the system, including sensitive files such as fiscal configuration files containing database credentials and application source code. This unauthorized access to sensitive data poses a high risk to data confidentiality and integrity.

Such exposure of sensitive information can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data to prevent unauthorized disclosure.

Since the vulnerability affects public sector fiscal management systems, failure to address it could result in violations of regulatory requirements related to data security and privacy.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-30996 is a critical unauthenticated Path Traversal vulnerability in the SAC-NFe v2.0.02 system, specifically in the download.php and open_pdf.php components.

The vulnerability arises because these components accept a user-supplied 'file' parameter without proper validation or sanitization, directly passing it to PHP's readfile() function.

Attackers can exploit this by crafting GET requests with directory traversal sequences (like '../') to read arbitrary files on the host system, bypassing intended directory restrictions.

This allows unauthorized access to sensitive files such as Windows system files, executable binaries, PHP configuration files, application source code, and fiscal configuration files containing database credentials.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability poses a high risk to data confidentiality and integrity, especially in public sector fiscal management systems using SAC-NFe.

Attackers can read sensitive system and application files without authentication, potentially exposing critical configuration data, credentials, and system information.

Such unauthorized access can lead to further exploitation, data breaches, and compromise of the affected system's security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access sensitive files through crafted HTTP GET requests targeting the download.php or open_pdf.php endpoints with a manipulated `file` parameter.

For example, using cURL commands to test directory traversal sequences like `../` or absolute paths can reveal if the system is vulnerable.

• curl "http://target/download.php?file=../../../../../../Windows/win.ini"
• curl "http://target/open_pdf.php?file=C:/Windows/System32/drivers/etc/services"

If the response returns the contents of these sensitive files, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves modifying the application code to prevent directory traversal attacks.

• Hardcode a fixed base directory from which files can be served.
• Use PHP's `basename()` function to strip directory traversal sequences from the `file` parameter.
• Validate that the requested file resides strictly within the authorized directory before serving it.

These steps prevent arbitrary path traversal and unauthorized file disclosure until an official patch is available.

Useful 0 Not Useful 0