CVE-2026-41180
Path Traversal in PsiTransfer Upload Allows Remote Code Execution
Publication date: 2026-04-23
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| psi-4ward | psitransfer | to 2.4.3 (exc) |
| psi-4ward | psitransfer | to 2.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41180 is a path traversal vulnerability in PsiTransfer, an open source self-hosted file sharing solution, affecting versions prior to 2.4.3.
The issue occurs in the PATCH upload flow at the endpoint `/files/:uploadId`, where the application validates the request path using the still-encoded `req.path`, but later writes files using the decoded `req.params.uploadId`. This inconsistency allows an unauthenticated attacker to craft a path traversal payload that bypasses validation.
In deployments using a custom upload directory whose basename prefixes a startup-loaded JavaScript path (e.g., a directory named `conf`), the attacker can create or overwrite files like `config.<NODE_ENV>.js` in the application root.
These attacker-controlled files are executed on the next process restart, enabling remote code execution with the PsiTransfer service account.
How can this vulnerability impact me? :
This vulnerability allows a remote, unauthenticated attacker to perform arbitrary code execution on the server running PsiTransfer.
By exploiting the path traversal flaw, the attacker can write malicious JavaScript files into the application root directory, which are then executed upon the next process restart.
The impact includes full compromise of confidentiality, integrity, and availability of the affected system, as the attacker can execute arbitrary commands with the PsiTransfer service account privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious PATCH requests to the `/files/:uploadId` endpoint that contain path traversal payloads such as encoded sequences like `%2F` or `..%2F` in the uploadId parameter.
Specifically, look for PATCH requests attempting to write files outside the intended upload directory, for example targeting paths like `/files/..%2Fconfig.production.js`.
Network detection can involve inspecting HTTP logs or using tools like tcpdump or Wireshark to filter PATCH requests to the vulnerable endpoint.
- Use grep or similar tools on server access logs to find suspicious PATCH requests: `grep -i 'PATCH /files/' /var/log/psitransfer/access.log | grep '%2F'`
- Use curl or HTTP client to test if the server accepts path traversal payloads: `curl -X PATCH 'http://yourserver/files/..%2Fconfig.production.js' -d @payload`
- Monitor filesystem for unexpected files created outside the upload directory, especially files named like `config.<NODE_ENV>.js` in the application root.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps include upgrading PsiTransfer to version 2.4.3 or later, which contains a patch that strictly validates upload IDs and sanitizes file paths to prevent path traversal.
Until the patch is applied, avoid using custom upload directories whose basenames prefix startup-loaded JavaScript paths (such as directories named `conf`), as this configuration is vulnerable.
Additionally, configure the server to reject PATCH requests unless the expected sidecar metadata exists, reducing the risk of malicious file writes.
Default Docker and systemd deployments are not vulnerable by default because their upload directories do not prefix startup-loaded paths, so consider using default configurations if patching is not immediately possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41180 allows an unauthenticated attacker to achieve arbitrary code execution by exploiting a path traversal vulnerability in PsiTransfer. This can lead to unauthorized file creation and modification, potentially compromising the confidentiality, integrity, and availability of data handled by the application.
Such unauthorized access and code execution risks violating data protection requirements under common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality and integrity. If sensitive personal or health data is stored or processed by PsiTransfer, this vulnerability could lead to data breaches or unauthorized data manipulation, thereby impacting compliance.
Therefore, organizations using vulnerable versions of PsiTransfer may face increased risk of non-compliance with these regulations until the vulnerability is patched.