CVE-2026-5535
Path Traversal in FedML MQTT Handler Allows Remote Exploits
Publication date: 2026-04-05
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tensoropera | fedml | to 0.8.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5535 is a path traversal vulnerability found in the Android client of FedML (version up to 0.8.9), specifically in the MQTT Message Handler component. The vulnerability arises because the client processes MQTT messages containing a dataSet parameter without validating or sanitizing it before using it to construct filesystem paths.
An attacker who can publish or tamper with MQTT messages can supply crafted path traversal payloads (e.g., "../../../../") that cause the client to access and enumerate arbitrary directories within the appβs accessible filesystem. This happens because the code concatenates the base path with the untrusted dataSet string directly, without any canonicalization or traversal filtering.
The vulnerability allows unauthorized directory listing within the app sandbox, exposing internal paths and dataset locations. It is exploitable remotely via MQTT messages and represents a trust boundary violation from network input to local filesystem access.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to perform unauthorized directory enumeration within the app-accessible filesystem on an Android device running the vulnerable FedML client.
- Disclosure of sensitive internal paths and dataset locations.
- Enables filesystem reconnaissance and application fingerprinting.
- Potential Denial of Service due to large directory listings causing high memory usage or UI freezes.
- The attacker cannot directly read or modify files but can gain information about the filesystem structure within the app sandbox.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Android client of FedML (version β€0.8.9) for path traversal issues in the MQTT message handling, specifically by sending crafted MQTT messages containing traversal payloads in the dataSet parameter.
A practical detection method involves publishing MQTT messages with payloads such as { "dataSet": "../../../../" } to the affected client and observing if the client attempts to list directories outside the intended base path.
Detection commands or steps include:
- Use an MQTT client tool to publish a message with a path traversal payload to the topic the FedML client subscribes to.
- Example MQTT publish command using mosquitto_pub:
- mosquitto_pub -h <broker_address> -t <topic> -m '{"dataSet": "../../../../data/data/"}'
- Monitor the client logs or behavior for directory listing of unintended paths or security exceptions.
If the client lists directories outside the expected base path or crashes/freezes due to large directory listings, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps focus on input validation and securing MQTT communication to prevent exploitation of the path traversal vulnerability.
- Implement input validation to reject any dataSet parameter containing ".." to block traversal sequences.
- Enforce canonical path checks to ensure that the resolved filesystem path is within the intended base directory.
- Restrict allowed dataset names using whitelist regex patterns that only permit safe characters (e.g., alphanumeric, underscore, hyphen).
- Harden MQTT security by enforcing authentication mechanisms such as TLS with client certificates and applying strict topic access control lists (ACLs) to prevent unauthorized message publishing.
These steps will prevent attackers from supplying malicious path traversal payloads and reduce the risk of unauthorized directory enumeration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized directory enumeration within the app's accessible filesystem, potentially exposing sensitive internal paths and dataset locations.
Such unauthorized access and disclosure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Because the vulnerability enables attackers to gain information about internal data structures and possibly sensitive files, it increases the risk of data breaches and unauthorized data exposure, which are critical compliance concerns.
Mitigating this vulnerability by input validation, path canonicalization, and securing MQTT communications is essential to maintain compliance with these standards.