CVE-2026-36500
Deferred Deferred - Pending Action
Directory Traversal in Controller v12.0.5

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: MITRE

Description
An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-36500
EUVD
EUVD-2026-34866
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opendaylight controller 12.0.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

The CVE-2026-36500 vulnerability can be detected by monitoring for crafted RESTCONF HTTP POST requests targeting the cluster-admin:backup-datastore component of the OpenDayLight Controller version 12.0.5. These requests attempt directory traversal by manipulating the file-path parameter to write arbitrary files.

Detection can involve inspecting HTTP POST requests for suspicious file-path parameters that resolve outside the permitted base directory.

Specific commands are not provided in the available resources, but network monitoring tools or web application firewalls (WAFs) can be configured to log and alert on RESTCONF POST requests containing path traversal patterns such as '../' sequences.

Mitigation Strategies

The immediate mitigation step is to apply input validation and restrict the file-path parameter to a permitted base directory, rejecting any paths that resolve outside this directory.

Since the vulnerability allows arbitrary file writes via crafted requests, ensure that your OpenDayLight Controller is updated to a version where this issue is fixed or apply patches that enforce this validation.

Additionally, monitor and block suspicious RESTCONF HTTP POST requests that attempt directory traversal patterns until the fix is applied.

Compliance Impact

The provided information does not include any details about how the CVE-2026-36500 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-36500 vulnerability affects the OpenDaylight (ODL) Controller version 12.0.5, specifically in the cluster-admin:backup-datastore component.

It is a path traversal vulnerability that can be exploited remotely via a crafted RESTCONF HTTP POST request.

This flaw allows attackers to write arbitrary files to any location accessible by the ODL process by manipulating the file-path parameter.

The issue arises because the file-path parameter is not properly validated or restricted to a permitted base directory.

Impact Analysis

This vulnerability can allow an attacker to write arbitrary files anywhere the OpenDaylight process has access.

Such unauthorized file writes can lead to system compromise, including the possibility of executing malicious code, altering configurations, or disrupting normal operations.

Because the exploit is remote and can be triggered via a crafted HTTP POST request, it increases the risk of unauthorized access and control over the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart