Executive Summary

CVE-2026-32847 is a path traversal vulnerability in DeepCode's SPA catch-all route located in new_ui/backend/main.py. It allows unauthenticated attackers to read arbitrary files by sending specially crafted HTTP GET requests with percent-encoded path segments. Attackers bypass the normal path normalization by encoding slashes as %2F and dots as %2E%2E, enabling them to traverse outside the intended FRONTEND_DIST directory.

This flaw lets attackers access sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request, without requiring any authentication or user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts because it allows attackers to read sensitive files on the server remotely and without authentication.

• Exposure of SSH private keys, which could lead to unauthorized server access.
• Disclosure of TLS certificates, potentially compromising encrypted communications.
• Leakage of application secrets, which could be used to further exploit or manipulate the application.

Overall, this can lead to a complete compromise of the affected system and its data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the GET /{full_path:path} endpoint for suspicious percent-encoded path traversal sequences such as %2F (encoded slash) and %2E%2E (encoded dots). These sequences are used to bypass path normalization and access files outside the intended directory.

You can detect exploitation attempts by searching web server logs or network traffic for requests containing these encoded traversal patterns.

• Use grep or similar tools on access logs to find suspicious requests, for example: grep -E '%2F|%2E%2E' /var/log/nginx/access.log
• Use network monitoring tools like tcpdump or Wireshark to capture HTTP requests and filter for encoded traversal sequences.
• Send crafted HTTP GET requests with encoded traversal sequences to the vulnerable endpoint to test if the system is exploitable, for example using curl: curl -v 'http://target-server/{..%2F..%2F..%2Fetc/passwd}'

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable GET /{full_path:path} endpoint to prevent unauthenticated users from exploiting the path traversal.

Implement input validation and containment checks to ensure that requested paths do not traverse outside the intended FRONTEND_DIST directory.

Apply patches or updates that fix the vulnerability in the new_ui/backend/main.py SPA catch-all route, if available.

If running in Docker or production mode, consider disabling or restricting the SPA catch-all route until a fix is applied.

Monitor logs for exploitation attempts and block suspicious IP addresses or requests at the firewall or web server level.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to read arbitrary sensitive files such as SSH private keys, TLS certificates, and application secrets by exploiting a path traversal flaw. Exposure of such sensitive information can lead to unauthorized access to protected data and systems.

The unauthorized disclosure of sensitive files and secrets can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. Organizations using affected DeepCode versions may face compliance risks due to potential data breaches stemming from this vulnerability.

Useful 0 Not Useful 0