CVE-2026-40163
Received Received - Intake
Directory Traversal and Arbitrary File Write in Saltcorn Sync Endpoints

Publication date: 2026-04-10

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40163
EUVD
EUVD-2026-21517
Affected Vendors & Products
Showing 23 associated CPEs
Vendor Product Version / Range
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn 1.6.0
saltcorn saltcorn to 1.4.5 (exc)
saltcorn saltcorn From 1.5.0 (inc) to 1.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40163 involves two unauthenticated path traversal vulnerabilities in Saltcorn's mobile sync endpoints that allow attackers to manipulate file paths without proper sanitization.

First, the POST /sync/offline_changes endpoint accepts a parameter that is used directly in a path join operation without validation, enabling attackers to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem.

Second, the GET /sync/upload_finished endpoint uses a directory name parameter without sanitization, allowing attackers to list contents of arbitrary directories and read specific JSON files from anywhere on the server.

Both endpoints lack authentication, meaning anyone can exploit these vulnerabilities.

Impact Analysis

This vulnerability can have serious impacts including unauthorized creation of directories and writing of arbitrary JSON files anywhere on the server filesystem.

Attackers can also read and list files from arbitrary directories, potentially exposing sensitive information.

The ability to write files in arbitrary locations can lead to remote code execution if attackers write to sensitive paths such as cron jobs, systemd configurations, or Node.js modules.

Detection Guidance

This vulnerability can be detected by testing the vulnerable endpoints for path traversal and arbitrary file write/read capabilities.

  • Send a POST request to /sync/offline_changes with the newSyncTimestamp parameter set to a path traversal payload (e.g., ../../../../tmp/evil) and check if a changes.json file is created in the specified directory.
  • Send a GET request to /sync/upload_finished with the dir_name query parameter set to a path traversal string (e.g., ../../../../etc) and check if directory contents are listed.

Example commands using curl:

  • curl -X POST -H "Content-Type: application/json" -d '{"newSyncTimestamp":"../../../../tmp/evil"}' http://target/sync/offline_changes
  • curl "http://target/sync/upload_finished?dir_name=../../../../etc"

If these commands succeed in creating files or listing directories outside the intended sync directory, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include:

  • Apply the patch or upgrade Saltcorn to versions 1.4.5, 1.5.5, or 1.6.0-beta.4 where this vulnerability is fixed.
  • Ensure that the vulnerable endpoints (/sync/offline_changes and /sync/upload_finished) properly sanitize and restrict file paths using safe path validation functions like File.normalise_in_base().
  • Add authentication middleware (e.g., loggedIn) to these endpoints to prevent unauthenticated access.
  • If immediate patching is not possible, consider restricting access to these endpoints via network controls such as firewall rules or API gateway policies.
Compliance Impact

The vulnerability allows unauthenticated attackers to write arbitrary files and read arbitrary directories on the server filesystem, potentially exposing sensitive data.

Such unauthorized access and modification of data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.

Specifically, the ability to read sensitive files or write malicious files could result in data breaches or unauthorized data manipulation, undermining compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart