CVE-2026-5535
Received Received - Intake
Path Traversal in FedML MQTT Handler Allows Remote Exploits

Publication date: 2026-04-05

Last updated on: 2026-04-30

Assigner: VulDB

Description
A security flaw has been discovered in FedML-AI FedML up to 0.8.9. This impacts an unknown function of the file FileUtils.java of the component MQTT Message Handler. Performing a manipulation of the argument dataSet results in path traversal. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5535
EUVD
EUVD-2026-19017
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tensoropera fedml to 0.8.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5535 is a path traversal vulnerability found in the Android client of FedML (version up to 0.8.9), specifically in the MQTT Message Handler component. The vulnerability arises because the client processes MQTT messages containing a dataSet parameter without validating or sanitizing it before using it to construct filesystem paths.

An attacker who can publish or tamper with MQTT messages can supply crafted path traversal payloads (e.g., "../../../../") that cause the client to access and enumerate arbitrary directories within the app’s accessible filesystem. This happens because the code concatenates the base path with the untrusted dataSet string directly, without any canonicalization or traversal filtering.

The vulnerability allows unauthorized directory listing within the app sandbox, exposing internal paths and dataset locations. It is exploitable remotely via MQTT messages and represents a trust boundary violation from network input to local filesystem access.

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform unauthorized directory enumeration within the app-accessible filesystem on an Android device running the vulnerable FedML client.

  • Disclosure of sensitive internal paths and dataset locations.
  • Enables filesystem reconnaissance and application fingerprinting.
  • Potential Denial of Service due to large directory listings causing high memory usage or UI freezes.
  • The attacker cannot directly read or modify files but can gain information about the filesystem structure within the app sandbox.
Detection Guidance

This vulnerability can be detected by testing the Android client of FedML (version ≀0.8.9) for path traversal issues in the MQTT message handling, specifically by sending crafted MQTT messages containing traversal payloads in the dataSet parameter.

A practical detection method involves publishing MQTT messages with payloads such as { "dataSet": "../../../../" } to the affected client and observing if the client attempts to list directories outside the intended base path.

Detection commands or steps include:

  • Use an MQTT client tool to publish a message with a path traversal payload to the topic the FedML client subscribes to.
  • Example MQTT publish command using mosquitto_pub:
  • mosquitto_pub -h <broker_address> -t <topic> -m '{"dataSet": "../../../../data/data/"}'
  • Monitor the client logs or behavior for directory listing of unintended paths or security exceptions.

If the client lists directories outside the expected base path or crashes/freezes due to large directory listings, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps focus on input validation and securing MQTT communication to prevent exploitation of the path traversal vulnerability.

  • Implement input validation to reject any dataSet parameter containing ".." to block traversal sequences.
  • Enforce canonical path checks to ensure that the resolved filesystem path is within the intended base directory.
  • Restrict allowed dataset names using whitelist regex patterns that only permit safe characters (e.g., alphanumeric, underscore, hyphen).
  • Harden MQTT security by enforcing authentication mechanisms such as TLS with client certificates and applying strict topic access control lists (ACLs) to prevent unauthorized message publishing.

These steps will prevent attackers from supplying malicious path traversal payloads and reduce the risk of unauthorized directory enumeration.

Compliance Impact

The vulnerability allows unauthorized directory enumeration within the app's accessible filesystem, potentially exposing sensitive internal paths and dataset locations.

Such unauthorized access and disclosure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Because the vulnerability enables attackers to gain information about internal data structures and possibly sensitive files, it increases the risk of data breaches and unauthorized data exposure, which are critical compliance concerns.

Mitigating this vulnerability by input validation, path canonicalization, and securing MQTT communications is essential to maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5535. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart