CVE-2026-41412
Deferred Deferred - Pending Action
Path Traversal in alf.io Ticket System

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The `postFileAndSaveResponse()` method accepts an arbitrary filesystem path as its `file` parameter and reads the file contents using `new FileInputStream(file)` with no path validation, directory restriction, or allowlist. A malicious extension script can read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server via HTTP POST. Version 2.0-M5-2606 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-41412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alf.io alf.io to 2.0-M5-2606 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves identifying whether the alf.io system is running a vulnerable version (versions ≀ 2.0-M5-2509-1) and if any malicious extension scripts are using the simpleHttpClient.postFileAndSaveResponse() method to read arbitrary files and exfiltrate data.

Since the vulnerability requires an authenticated administrator to register malicious extension scripts, monitoring for unusual or unauthorized extension scripts or suspicious HTTP POST requests to external servers can help detect exploitation attempts.

Suggested commands or approaches include:

  • Check the alf.io version installed to confirm if it is vulnerable.
  • Monitor HTTP POST traffic from the alf.io server to unknown or suspicious external IP addresses or domains using network monitoring tools like tcpdump or Wireshark.
  • Example tcpdump command to capture HTTP POST requests: tcpdump -i <interface> 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Inspect the extension scripts registered in alf.io for any unauthorized or suspicious scripts that invoke simpleHttpClient.postFileAndSaveResponse().
  • Review application logs for any calls to postFileAndSaveResponse() or unusual file access patterns.
Executive Summary

The vulnerability exists in alf.io, an open source ticket reservation system. Before version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client into every extension script's scope. One method, postFileAndSaveResponse(), accepts a file path parameter and reads the file contents without validating the path or restricting directory access. This allows a malicious extension script to read any file accessible to the JVM process user and send its contents to an attacker-controlled server via HTTP POST.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files on the server running alf.io. An attacker who can run a malicious extension script can read arbitrary files accessible by the JVM user and exfiltrate their contents to an external server. This could expose confidential information, credentials, or other sensitive data, potentially leading to further compromise or data breaches.

Mitigation Strategies

To mitigate this vulnerability, upgrade alf.io to version 2.0-M5-2606 or later, where the issue has been patched.

Compliance Impact

This vulnerability allows a malicious extension script to read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server. Such unauthorized access and potential data exfiltration could lead to breaches of sensitive or personal data.

As a result, this vulnerability may impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls over access to and protection of personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41412. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart