CVE-2026-34735
File Upload Vulnerability in Hytale Modding Wiki Enables RCE
Publication date: 2026-04-02
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hytale | hytale | to 1.2.0 (exc) |
| hytalemodding | wiki | 1.1.0 |
| hytalemodding | wiki | 1.1.2 |
| hytalemodding | wiki | 1.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables remote code execution and full database exfiltration, including sensitive user data and tokens, by allowing attackers to upload and execute malicious PHP files. Such unauthorized access and disclosure of personal and sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal data confidentiality, integrity, and access.
The exposure of environment secrets (e.g., database credentials, API keys) and the ability to dump entire databases publicly increases the risk of data breaches, which must be reported under these regulations. Failure to prevent such breaches or to implement adequate security controls can result in non-compliance, legal penalties, and reputational damage.
Can you explain this vulnerability to me?
CVE-2026-34735 is a critical remote code execution vulnerability in the quickUpload() method of the FileController in the Hytale Modding Wiki package (version 1.1.0 and prior). The vulnerability occurs because the system validates uploaded files by checking their MIME type using PHP's finfo class, but it constructs the stored filename using the client-supplied file extension without validation.
This disconnect allows an attacker with an authenticated account and edit permissions to upload a file that passes the MIME type check (for example, an image/gif) but uses a .php extension. The file is stored publicly and accessible via URL, enabling the attacker to execute arbitrary PHP code on the server.
An attacker can prepend GIF magic bytes to PHP code to bypass MIME checks, upload the file, and then execute it by visiting its URL. This leads to full server compromise, including reading sensitive environment variables, dumping the database, and maintaining persistent access.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Remote Code Execution: Attackers can run arbitrary PHP code with web server privileges.
- Secret Disclosure: Sensitive information such as application keys, database credentials, mail passwords, and API keys stored in the .env file can be exposed.
- Full Database Exfiltration: Attackers can dump the entire database contents, including user data and tokens, making them publicly accessible.
- Lateral Movement: Using leaked credentials, attackers may gain access to other connected services.
- Persistence: Attackers can upload web shells to maintain ongoing access, even after password resets or session revocation.
- Complete Server Compromise: A single compromised editor account can lead to full takeover of the server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of uploaded files with suspicious extensions such as .php in the public upload directories, especially if those files contain PHP code disguised with allowed MIME types like image/gif.
You can look for files in the upload storage directory (e.g., mods/{mod->id}/files) that have a .php extension but contain image headers such as GIF89a.
Suggested commands to detect potentially malicious uploads include:
- Find .php files in the upload directory: `find /path/to/storage/mods -type f -name '*.php'`
- Check if these .php files start with GIF89a header (indicating MIME type spoofing): `head -c 6 <file> | hexdump -C` and verify if it matches GIF89a
- Search for PHP code inside files with image extensions: `grep -r '<?php' /path/to/storage/mods`
- Monitor web server access logs for requests to .php files in upload directories that should normally not contain executable scripts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Do not trust client-supplied file extensions. Instead, derive the file extension from the validated MIME type using a server-controlled mapping.
- Configure the web server to deny execution of PHP scripts in the upload directory.
- For Nginx, add a rule to deny PHP execution in the storage directory, for example: `location ~* /storage/.*\.php$ { deny all; return 403; }`
- For Apache, use an .htaccess file in the storage directory with: `php_flag engine off` and `<FilesMatch "\.php$"> Deny from all </FilesMatch>`
- Serve uploaded files safely by forcing downloads with fixed Content-Type headers or hosting uploads on a separate domain to prevent stored XSS.
- Apply rate limiting to upload endpoints to reduce abuse, e.g., limit to 10 uploads per minute.
- Unify validation rules across all upload methods to ensure consistent MIME and extension checks.