CVE-2026-6815
Arbitrary File Write via Path Traversal in Casdoor
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| casdoor | casdoor | to 3.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6815 is an arbitrary file write vulnerability in Casdoor's Local File System storage provider. It occurs because the system does not properly sanitize user-supplied file paths during uploads.
An authenticated attacker with administrative privileges can exploit this vulnerability by performing a Path Traversal attack, using directory traversal sequences (like ../../) to escape the intended storage directory.
This allows the attacker to create or overwrite arbitrary files anywhere on the host filesystem where the Casdoor process has write permissions, bypassing the application's intended storage sandbox.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including the ability for an attacker to overwrite critical files on the host system.
For example, an attacker could overwrite Casdoorβs backend database (casdoor.db), disrupting authentication services.
Such disruption could lead to denial of service or potentially full host compromise if the attacker gains control over important system files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized or suspicious file writes outside the intended storage directory of Casdoor's Local File System provider. Since exploitation uses directory traversal sequences (e.g., ../../) during file uploads, inspecting logs for such patterns can help identify attempts.
Commands to detect potential exploitation attempts include searching Casdoor upload logs or filesystem audit logs for directory traversal patterns or unexpected file modifications.
- grep -r '\.\./' /path/to/casdoor/logs
- auditctl -w /path/to/casdoor/storage -p wa -k casdoor_monitor
- ausearch -k casdoor_monitor
Additionally, monitoring for unexpected changes to critical files such as casdoor.db can indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting administrative access to Casdoor to trusted users only, limiting filesystem permissions for the Casdoor service account to prevent writing outside the intended directories, and disabling the Local File System storage provider if it is not essential.
Applying any available patches or updates that address this vulnerability as soon as possible is also critical.