Arbitrary File Deletion in Bookcars via Path Traversal

Executive Summary

CVE-2026-36726 is an arbitrary file deletion vulnerability in the BookCars software version 8.3 and earlier. It exists in the /api/delete-temp-license/{file} endpoint, where the file parameter is used directly to build a file path without proper validation.

This lack of validation allows unauthenticated attackers to supply directory traversal sequences (such as '..' or encoded variants) to delete arbitrary files on the server.

The vulnerability arises because the file path parameter is concatenated into the filesystem path without checking for path traversal patterns, enabling attackers to remove files outside the intended directory.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to delete arbitrary files on the server running the BookCars application without authentication.

Such unauthorized file deletion can disrupt the normal operation of the application, potentially causing service outages or loss of important data.

Additionally, deleting sensitive files could expose or compromise data integrity, leading to further security risks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server, which could lead to disruption of application functionality or exposure of sensitive data.

Such unauthorized file deletion and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining data integrity and availability.

Mitigations such as validating file paths, implementing access controls, and running services with least privilege are necessary to reduce the risk and help maintain compliance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized HTTP requests to the `/api/delete-temp-license/{file}` endpoint that include directory traversal sequences such as `..` or encoded variants like `%2F..%2F`.

You can use network monitoring tools or web server logs to identify such requests.

Example commands to detect exploitation attempts include:

• Using grep on web server logs to find directory traversal patterns: `grep -E '\.\.|%2F\.\./' /var/log/nginx/access.log`
• Using curl to test the endpoint with a crafted request: `curl -v 'http://target/api/delete-temp-license/..%2F..%2Fetc%2Fpasswd'` to see if unauthorized file deletion is possible.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Implement input validation to reject directory traversal sequences in the `file` parameter.
• Canonicalize file paths before processing to ensure they do not escape intended directories.
• Validate filenames against an allowlist of permitted files.
• Implement proper access controls to restrict who can invoke the delete endpoint.
• Run the service with least privilege to limit the impact of any successful exploitation.

Useful 0 Not Useful 0