CVE-2026-34977
Received Received - Intake
Command Injection in Aperi'Solve JPEG Upload Enables Root RCE

Publication date: 2026-04-06

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Aperi'Solve is an open-source steganalysis web platform. Prior to 3.2.1, when uploading a JPEG, a user can specify an optional password to accompany the JPEG. This password is then directly passed into an expect command, which is then subsequently passed into a bash -c command, without any form of sanitization or validation. An unauthenticated attacker can achieve root-level RCE inside the worker container with a single HTTP request, enabling full read/write access to all user-uploaded images, analysis results, and plaintext steganography passwords stored on disk. Because the container shares a Docker network with PostgreSQL and Redis (no authentication on either), the attacker can pivot to dump the entire database or manipulate the job queue to poison results for other users. If Docker socket mounting or host volume mounts are present, this could escalate to full host compromise. This would also include defacement of the website itself. This vulnerability is fixed in 3.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34977
EUVD
EUVD-2026-19361
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aperisolve aperisolve to 3.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34977 is a command injection vulnerability in the AperiSolve open-source steganalysis platform, specifically in the jpseek analyzer component. The issue occurs because when a user uploads a JPEG image and provides an optional password, this password is directly inserted into a shell command executed via `bash -c` without any sanitization or validation. This allows an attacker to inject arbitrary shell commands by crafting a malicious password.

The vulnerable code constructs an `expect` command string embedding the password, which is then passed to `bash -c`. Because the password is not sanitized, shell metacharacters can be used to execute arbitrary commands. The fix involves removing the `bash -c` wrapper and instead invoking `expect` directly, passing the password securely via an environment variable to prevent shell interpretation.

Impact Analysis

This vulnerability allows an unauthenticated attacker to achieve root-level remote code execution (RCE) inside the worker container with a single HTTP request.

  • Full read and write access to all user-uploaded images, analysis results, and plaintext steganography passwords stored on disk.
  • Lateral movement within the Docker network to PostgreSQL and Redis services, both of which lack authentication, enabling database dumping or manipulation of job queues to poison results for other users.
  • Potential escalation to full host compromise if Docker socket mounting or host volume mounts are present.
  • Risk of website defacement.
Detection Guidance

This vulnerability can be detected by checking if the AperiSolve installation is running a vulnerable version prior to 3.2.1, specifically versions up to 3.2.0 where the jpseek analyzer component executes user-supplied passwords unsafely via a shell command.

To detect exploitation attempts or presence of the vulnerability, you can monitor HTTP requests that upload JPEG images with suspicious password fields containing shell metacharacters such as semicolons (;) or command injection patterns.

Since the vulnerability allows remote code execution via crafted passwords, network monitoring for unusual outbound TCP connections from the worker container (e.g., connections to unknown external IPs or ports) may indicate exploitation.

Specific commands to detect exploitation attempts could include:

  • Inspect running AperiSolve version: check the version string or release tag to confirm if it is below 3.2.1.
  • Search logs for suspicious HTTP POST requests to the image upload endpoint containing shell metacharacters in the password field.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to detect unexpected outbound connections from the AperiSolve worker container.
  • Example command to check version (if accessible): `grep PROJECT_VERSION /path/to/apertisolve` or check UI version display.
  • Example command to search logs for suspicious passwords: `grep -E 'password=.*[;|&]' /var/log/apertisolve/access.log`
Mitigation Strategies

The immediate mitigation step is to upgrade AperiSolve to version 3.2.1 or later, where the vulnerability has been fixed by removing unsafe shell command execution and passing passwords securely via environment variables.

If upgrading immediately is not possible, consider restricting network access to the AperiSolve worker container to prevent external HTTP requests that could exploit the vulnerability.

Additionally, ensure that Docker socket mounting and host volume mounts are not exposed to the AperiSolve container to reduce risk of host compromise.

Monitor and restrict access to PostgreSQL and Redis services on the Docker network by enabling authentication or network segmentation to prevent lateral movement.

Review and sanitize any user-uploaded data and passwords stored on disk, as they may have been compromised.

Compliance Impact

CVE-2026-34977 allows an unauthenticated attacker to achieve root-level remote code execution inside the worker container, leading to full read/write access to all user-uploaded images, analysis results, and plaintext steganography passwords stored on disk.

Because the attacker can access sensitive user data and potentially dump or manipulate the entire database (including PostgreSQL and Redis services without authentication), this vulnerability poses a significant risk to the confidentiality and integrity of personal and sensitive information.

Such unauthorized access and potential data compromise could violate data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access, disclosure, and alteration.

Additionally, the possibility of full host compromise and website defacement further increases the risk of non-compliance with security standards that mandate maintaining system integrity and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart