CVE-2026-36726
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
An arbitrary file deletion vulnerability in the /api/delete-temp-license/{file} endpoint of bookcars v8.3 allows unauthenticated attackers to delete arbitrary files via supplying directory traversal sequences.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-36726
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bookcars bookcars 8.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server, which could lead to disruption of application functionality or exposure of sensitive data.

Such unauthorized file deletion and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining data integrity and availability.

Mitigations such as validating file paths, implementing access controls, and running services with least privilege are necessary to reduce the risk and help maintain compliance.

Executive Summary

CVE-2026-36726 is an arbitrary file deletion vulnerability in the BookCars software version 8.3 and earlier. It exists in the /api/delete-temp-license/{file} endpoint, where the file parameter is used directly to build a file path without proper validation.

This lack of validation allows unauthenticated attackers to supply directory traversal sequences (such as '..' or encoded variants) to delete arbitrary files on the server.

The vulnerability arises because the file path parameter is concatenated into the filesystem path without checking for path traversal patterns, enabling attackers to remove files outside the intended directory.

Impact Analysis

This vulnerability can allow attackers to delete arbitrary files on the server running the BookCars application without authentication.

Such unauthorized file deletion can disrupt the normal operation of the application, potentially causing service outages or loss of important data.

Additionally, deleting sensitive files could expose or compromise data integrity, leading to further security risks.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized HTTP requests to the `/api/delete-temp-license/{file}` endpoint that include directory traversal sequences such as `..` or encoded variants like `%2F..%2F`.

You can use network monitoring tools or web server logs to identify such requests.

Example commands to detect exploitation attempts include:

  • Using grep on web server logs to find directory traversal patterns: `grep -E '\.\.|%2F\.\./' /var/log/nginx/access.log`
  • Using curl to test the endpoint with a crafted request: `curl -v 'http://target/api/delete-temp-license/..%2F..%2Fetc%2Fpasswd'` to see if unauthorized file deletion is possible.
Mitigation Strategies

Immediate mitigation steps include:

  • Implement input validation to reject directory traversal sequences in the `file` parameter.
  • Canonicalize file paths before processing to ensure they do not escape intended directories.
  • Validate filenames against an allowlist of permitted files.
  • Implement proper access controls to restrict who can invoke the delete endpoint.
  • Run the service with least privilege to limit the impact of any successful exploitation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36726. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart