Executive Summary

CVE-2026-42605 is a path traversal vulnerability in AzuraCast versions 0.23.5 and earlier. It occurs because the currentDirectory parameter in the Flow.js media upload endpoint is not properly sanitized, allowing an authenticated user with media management permissions to write files outside the intended media storage directory.

This vulnerability enables an attacker to upload arbitrary files, including PHP webshells, to the web root directory. This can lead to remote code execution, allowing the attacker to execute system commands with the privileges of the AzuraCast application user.

The issue arises because the currentDirectory parameter is concatenated after filename sanitization, reintroducing path traversal sequences like "../". Although uploading a PHP file triggers an exception due to invalid MIME type, the file is still copied to the traversed path before the exception propagates.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the server hosting AzuraCast. An attacker with media management permissions can upload a PHP webshell, gaining the ability to execute arbitrary system commands.

Exploitation can lead to full server compromise, privilege escalation, and unauthorized access to sensitive data such as database credentials, API keys, and application secrets.

The vulnerability has a high CVSS score of 8.8, indicating a high severity with network attack vector, low attack complexity, and no user interaction required.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized file writes outside the intended media storage directory, especially PHP files that could be webshells.

Since exploitation requires an authenticated user with media management permissions to upload files via the Flow.js media upload endpoint, reviewing logs for suspicious POST requests to /api/station/{station_id}/files/upload with unusual path traversal sequences in the currentDirectory parameter (e.g., ../) is recommended.

• Check web server or application logs for POST requests containing '../' or other path traversal patterns in the currentDirectory parameter.
• Use commands like grep or similar to search logs, for example: grep -r "currentDirectory=.*\.\./" /path/to/azuracast/logs
• Scan the filesystem for unexpected PHP files outside the media storage directory, for example: find /var/azuracast/www/public -name '*.php' -type f
• Monitor for recently created or modified files outside the expected media directories that could indicate a webshell upload.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade AzuraCast to version 0.23.6 or later, where the vulnerability has been patched.

If upgrading immediately is not possible, restrict media management permissions to trusted users only, as exploitation requires authenticated users with such permissions.

Implement monitoring and alerting for suspicious file uploads and path traversal attempts.

Consider using remote storage backends (e.g., S3) instead of the default local filesystem storage backend, as remote backends are not affected by this vulnerability.

Review and sanitize inputs to the currentDirectory parameter and ensure path normalization is enforced if custom patches or workarounds are applied.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user with media management permissions to achieve remote code execution by writing arbitrary files outside the intended media storage directory, potentially leading to full server compromise.

Such a compromise can result in unauthorized access to sensitive data including database credentials, API keys, and application secrets.

This exposure and potential data breach could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access.

Useful 0 Not Useful 0