How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to write arbitrary files and read arbitrary directories on the server filesystem, potentially exposing sensitive data.

Such unauthorized access and modification of data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.

Specifically, the ability to read sensitive files or write malicious files could result in data breaches or unauthorized data manipulation, undermining compliance with these standards.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-40163 involves two unauthenticated path traversal vulnerabilities in Saltcorn's mobile sync endpoints that allow attackers to manipulate file paths without proper sanitization.

First, the POST /sync/offline_changes endpoint accepts a parameter that is used directly in a path join operation without validation, enabling attackers to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem.

Second, the GET /sync/upload_finished endpoint uses a directory name parameter without sanitization, allowing attackers to list contents of arbitrary directories and read specific JSON files from anywhere on the server.

Both endpoints lack authentication, meaning anyone can exploit these vulnerabilities.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized creation of directories and writing of arbitrary JSON files anywhere on the server filesystem.

Attackers can also read and list files from arbitrary directories, potentially exposing sensitive information.

The ability to write files in arbitrary locations can lead to remote code execution if attackers write to sensitive paths such as cron jobs, systemd configurations, or Node.js modules.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the vulnerable endpoints for path traversal and arbitrary file write/read capabilities.

• Send a POST request to /sync/offline_changes with the newSyncTimestamp parameter set to a path traversal payload (e.g., ../../../../tmp/evil) and check if a changes.json file is created in the specified directory.
• Send a GET request to /sync/upload_finished with the dir_name query parameter set to a path traversal string (e.g., ../../../../etc) and check if directory contents are listed.

Example commands using curl:

• curl -X POST -H "Content-Type: application/json" -d '{"newSyncTimestamp":"../../../../tmp/evil"}' http://target/sync/offline_changes
• curl "http://target/sync/upload_finished?dir_name=../../../../etc"

If these commands succeed in creating files or listing directories outside the intended sync directory, the system is vulnerable.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

• Apply the patch or upgrade Saltcorn to versions 1.4.5, 1.5.5, or 1.6.0-beta.4 where this vulnerability is fixed.
• Ensure that the vulnerable endpoints (/sync/offline_changes and /sync/upload_finished) properly sanitize and restrict file paths using safe path validation functions like File.normalise_in_base().
• Add authentication middleware (e.g., loggedIn) to these endpoints to prevent unauthenticated access.
• If immediate patching is not possible, consider restricting access to these endpoints via network controls such as firewall rules or API gateway policies.

Useful 0 Not Useful 0