CVE-2026-41180
Received Received - Intake
Path Traversal in PsiTransfer Upload Allows Remote Code Execution

Publication date: 2026-04-23

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-23
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41180
EUVD
EUVD-2026-25150
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
psi-4ward psitransfer to 2.4.3 (exc)
psi-4ward psitransfer to 2.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41180 is a path traversal vulnerability in PsiTransfer, an open source self-hosted file sharing solution, affecting versions prior to 2.4.3.

The issue occurs in the PATCH upload flow at the endpoint `/files/:uploadId`, where the application validates the request path using the still-encoded `req.path`, but later writes files using the decoded `req.params.uploadId`. This inconsistency allows an unauthenticated attacker to craft a path traversal payload that bypasses validation.

In deployments using a custom upload directory whose basename prefixes a startup-loaded JavaScript path (e.g., a directory named `conf`), the attacker can create or overwrite files like `config.<NODE_ENV>.js` in the application root.

These attacker-controlled files are executed on the next process restart, enabling remote code execution with the PsiTransfer service account.

Impact Analysis

This vulnerability allows a remote, unauthenticated attacker to perform arbitrary code execution on the server running PsiTransfer.

By exploiting the path traversal flaw, the attacker can write malicious JavaScript files into the application root directory, which are then executed upon the next process restart.

The impact includes full compromise of confidentiality, integrity, and availability of the affected system, as the attacker can execute arbitrary commands with the PsiTransfer service account privileges.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious PATCH requests to the `/files/:uploadId` endpoint that contain path traversal payloads such as encoded sequences like `%2F` or `..%2F` in the uploadId parameter.

Specifically, look for PATCH requests attempting to write files outside the intended upload directory, for example targeting paths like `/files/..%2Fconfig.production.js`.

Network detection can involve inspecting HTTP logs or using tools like tcpdump or Wireshark to filter PATCH requests to the vulnerable endpoint.

  • Use grep or similar tools on server access logs to find suspicious PATCH requests: `grep -i 'PATCH /files/' /var/log/psitransfer/access.log | grep '%2F'`
  • Use curl or HTTP client to test if the server accepts path traversal payloads: `curl -X PATCH 'http://yourserver/files/..%2Fconfig.production.js' -d @payload`
  • Monitor filesystem for unexpected files created outside the upload directory, especially files named like `config.<NODE_ENV>.js` in the application root.
Mitigation Strategies

The immediate mitigation steps include upgrading PsiTransfer to version 2.4.3 or later, which contains a patch that strictly validates upload IDs and sanitizes file paths to prevent path traversal.

Until the patch is applied, avoid using custom upload directories whose basenames prefix startup-loaded JavaScript paths (such as directories named `conf`), as this configuration is vulnerable.

Additionally, configure the server to reject PATCH requests unless the expected sidecar metadata exists, reducing the risk of malicious file writes.

Default Docker and systemd deployments are not vulnerable by default because their upload directories do not prefix startup-loaded paths, so consider using default configurations if patching is not immediately possible.

Compliance Impact

CVE-2026-41180 allows an unauthenticated attacker to achieve arbitrary code execution by exploiting a path traversal vulnerability in PsiTransfer. This can lead to unauthorized file creation and modification, potentially compromising the confidentiality, integrity, and availability of data handled by the application.

Such unauthorized access and code execution risks violating data protection requirements under common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality and integrity. If sensitive personal or health data is stored or processed by PsiTransfer, this vulnerability could lead to data breaches or unauthorized data manipulation, thereby impacting compliance.

Therefore, organizations using vulnerable versions of PsiTransfer may face increased risk of non-compliance with these regulations until the vulnerability is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart