CVE-2026-34977
Command Injection in Aperi'Solve JPEG Upload Enables Root RCE
Publication date: 2026-04-06
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aperisolve | aperisolve | to 3.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34977 is a command injection vulnerability in the AperiSolve open-source steganalysis platform, specifically in the jpseek analyzer component. The issue occurs because when a user uploads a JPEG image and provides an optional password, this password is directly inserted into a shell command executed via `bash -c` without any sanitization or validation. This allows an attacker to inject arbitrary shell commands by crafting a malicious password.
The vulnerable code constructs an `expect` command string embedding the password, which is then passed to `bash -c`. Because the password is not sanitized, shell metacharacters can be used to execute arbitrary commands. The fix involves removing the `bash -c` wrapper and instead invoking `expect` directly, passing the password securely via an environment variable to prevent shell interpretation.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to achieve root-level remote code execution (RCE) inside the worker container with a single HTTP request.
- Full read and write access to all user-uploaded images, analysis results, and plaintext steganography passwords stored on disk.
- Lateral movement within the Docker network to PostgreSQL and Redis services, both of which lack authentication, enabling database dumping or manipulation of job queues to poison results for other users.
- Potential escalation to full host compromise if Docker socket mounting or host volume mounts are present.
- Risk of website defacement.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the AperiSolve installation is running a vulnerable version prior to 3.2.1, specifically versions up to 3.2.0 where the jpseek analyzer component executes user-supplied passwords unsafely via a shell command.
To detect exploitation attempts or presence of the vulnerability, you can monitor HTTP requests that upload JPEG images with suspicious password fields containing shell metacharacters such as semicolons (;) or command injection patterns.
Since the vulnerability allows remote code execution via crafted passwords, network monitoring for unusual outbound TCP connections from the worker container (e.g., connections to unknown external IPs or ports) may indicate exploitation.
Specific commands to detect exploitation attempts could include:
- Inspect running AperiSolve version: check the version string or release tag to confirm if it is below 3.2.1.
- Search logs for suspicious HTTP POST requests to the image upload endpoint containing shell metacharacters in the password field.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to detect unexpected outbound connections from the AperiSolve worker container.
- Example command to check version (if accessible): `grep PROJECT_VERSION /path/to/apertisolve` or check UI version display.
- Example command to search logs for suspicious passwords: `grep -E 'password=.*[;|&]' /var/log/apertisolve/access.log`
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade AperiSolve to version 3.2.1 or later, where the vulnerability has been fixed by removing unsafe shell command execution and passing passwords securely via environment variables.
If upgrading immediately is not possible, consider restricting network access to the AperiSolve worker container to prevent external HTTP requests that could exploit the vulnerability.
Additionally, ensure that Docker socket mounting and host volume mounts are not exposed to the AperiSolve container to reduce risk of host compromise.
Monitor and restrict access to PostgreSQL and Redis services on the Docker network by enabling authentication or network segmentation to prevent lateral movement.
Review and sanitize any user-uploaded data and passwords stored on disk, as they may have been compromised.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34977 allows an unauthenticated attacker to achieve root-level remote code execution inside the worker container, leading to full read/write access to all user-uploaded images, analysis results, and plaintext steganography passwords stored on disk.
Because the attacker can access sensitive user data and potentially dump or manipulate the entire database (including PostgreSQL and Redis services without authentication), this vulnerability poses a significant risk to the confidentiality and integrity of personal and sensitive information.
Such unauthorized access and potential data compromise could violate data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access, disclosure, and alteration.
Additionally, the possibility of full host compromise and website defacement further increases the risk of non-compliance with security standards that mandate maintaining system integrity and availability.