CVE-2026-32847
Path Traversal in DeepCode via Percent-Encoded Segments
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deepcode | deepcode | * |
| deepcode | deepcode | 1.2.0 |
| deepcode | deepcode | to 1.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32847 is a path traversal vulnerability in DeepCode's SPA catch-all route located in new_ui/backend/main.py. It allows unauthenticated attackers to read arbitrary files by sending specially crafted HTTP GET requests with percent-encoded path segments. Attackers bypass the normal path normalization by encoding slashes as %2F and dots as %2E%2E, enabling them to traverse outside the intended FRONTEND_DIST directory.
This flaw lets attackers access sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request, without requiring any authentication or user interaction.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows attackers to read sensitive files on the server remotely and without authentication.
- Exposure of SSH private keys, which could lead to unauthorized server access.
- Disclosure of TLS certificates, potentially compromising encrypted communications.
- Leakage of application secrets, which could be used to further exploit or manipulate the application.
Overall, this can lead to a complete compromise of the affected system and its data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the GET /{full_path:path} endpoint for suspicious percent-encoded path traversal sequences such as %2F (encoded slash) and %2E%2E (encoded dots). These sequences are used to bypass path normalization and access files outside the intended directory.
You can detect exploitation attempts by searching web server logs or network traffic for requests containing these encoded traversal patterns.
- Use grep or similar tools on access logs to find suspicious requests, for example: grep -E '%2F|%2E%2E' /var/log/nginx/access.log
- Use network monitoring tools like tcpdump or Wireshark to capture HTTP requests and filter for encoded traversal sequences.
- Send crafted HTTP GET requests with encoded traversal sequences to the vulnerable endpoint to test if the system is exploitable, for example using curl: curl -v 'http://target-server/{..%2F..%2F..%2Fetc/passwd}'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable GET /{full_path:path} endpoint to prevent unauthenticated users from exploiting the path traversal.
Implement input validation and containment checks to ensure that requested paths do not traverse outside the intended FRONTEND_DIST directory.
Apply patches or updates that fix the vulnerability in the new_ui/backend/main.py SPA catch-all route, if available.
If running in Docker or production mode, consider disabling or restricting the SPA catch-all route until a fix is applied.
Monitor logs for exploitation attempts and block suspicious IP addresses or requests at the firewall or web server level.