CVE-2026-34413
Missing Authentication in Xerte elFinder Allows Remote Code Execution
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xerte | online_toolkits | to 3.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Xerte Online Toolkits versions 3.15 and earlier have a missing authentication vulnerability in the elFinder connector endpoint located at /editor/elfinder/php/connector.php. When an unauthenticated user accesses this endpoint, the system attempts to redirect them but fails to stop further PHP execution by not calling exit() or die(). This allows the attacker to continue processing the request on the server side.
As a result, unauthenticated attackers can perform various file operations on project media directories, such as creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files. These actions can be combined with other vulnerabilities like path traversal and extension blocklist bypasses to achieve remote code execution and arbitrary file reading.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access and manipulation of files within the project media directories. Attackers can upload malicious files, delete or overwrite important files, and rename or duplicate files, potentially disrupting service or corrupting data.
More critically, by chaining this vulnerability with path traversal and extension blocklist bypasses, attackers may achieve remote code execution on the server, allowing them to run arbitrary code. This could lead to full system compromise, data breaches, and loss of control over the affected server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform unauthorized file operations including creating, uploading, renaming, duplicating, overwriting, and deleting files within project media directories. This can lead to exposure or manipulation of sensitive data.
Such unauthorized access and potential data exposure or alteration could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information against unauthorized access and modification.
However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthenticated access to the elFinder connector endpoint at /editor/elfinder/php/connector.php, where an HTTP redirect does not terminate PHP execution, allowing unauthorized file operations.
To detect this vulnerability on your system, you can attempt to send unauthenticated HTTP requests to the vulnerable endpoint and observe if the server processes file operation commands despite issuing a redirect.
Example commands to test this behavior include using curl to send requests to the connector.php endpoint without authentication and checking for unexpected file operation responses or side effects.
- curl -v "http://yourserver/editor/elfinder/php/connector.php?cmd=mkdir&target=l1_Lw&name=testdir"
- curl -v "http://yourserver/editor/elfinder/php/connector.php?cmd=upload&target=l1_Lw" -F "upload[][email protected]"
- curl -v "http://yourserver/editor/elfinder/php/connector.php?cmd=rename&target=l1_Lw&name=newname.txt"
If these commands succeed without authentication and the server does not properly terminate execution after redirecting, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the available patches for Xerte Online Toolkits versions 3.15, 3.14, and 3.13 that address this missing authentication vulnerability.
If patching is not immediately possible, restrict access to the /editor/elfinder/php/connector.php endpoint by implementing network-level controls such as firewall rules or web server access restrictions to prevent unauthenticated access.
Additionally, monitor server logs for suspicious unauthenticated requests to the connector endpoint and consider disabling or removing the elFinder connector if it is not required.