CVE-2026-52756
Received Received - Intake
Path Traversal in Ghidra IsfServer

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send crafted protobuf messages with traversal sequences to enumerate filesystem paths and probe arbitrary files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-52756
EUVD
EUVD-2026-36015
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
national_security_agency ghidra to 12.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-52756 is an unauthenticated path traversal vulnerability in the Debugger ISF Server component of Ghidra, a software reverse engineering tool. The IsfServer listens on TCP port 54321 and accepts client-supplied namespace strings that are directly used as file paths without validation. This allows remote attackers to send crafted protobuf messages containing path traversal sequences to access or enumerate arbitrary files on the filesystem.

The vulnerability occurs because the server passes the namespace parameter directly to filesystem operations without sanitizing it, enabling attackers to traverse directories using sequences like '../../../../etc/shadow.gdt'. The server attempts to open these files as Ghidra archives, and different error messages can be used to infer the presence of files.

This flaw is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and does not require authentication, making it accessible to any network client with access to the port.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

Exploiting this vulnerability allows remote attackers to enumerate filesystem paths and probe arbitrary files on the affected system without authentication.

While full file reading requires the target file to be parseable as a Ghidra archive, attackers can still gain information about the filesystem structure and presence of files based on error responses.

Additionally, targeting large files could lead to denial of service conditions.

Because the server listens on a network port without authentication, any client with network access to port 54321 can attempt exploitation.

Detection Guidance

This vulnerability can be detected by checking if the Debugger ISF Server component of Ghidra is running and listening on TCP port 54321. Since the server accepts unauthenticated connections, you can attempt to connect to this port and send crafted protobuf messages containing path traversal sequences to observe the server's responses.

Network scanning tools like nmap can be used to detect if port 54321 is open on your systems:

  • nmap -p 54321 <target-ip>

To further test for the vulnerability, you can use a custom script or tool to send protobuf messages with traversal sequences (e.g., ../../../../etc/shadow.gdt) to port 54321 and analyze the responses for differences indicating filesystem enumeration.

Mitigation Strategies

Immediate mitigation steps include disabling or not running the Debugger ISF Server component of Ghidra, as it is an experimental feature that must be manually launched and has no supported use cases.

If the server must be used, restrict network access to TCP port 54321 by firewall rules to prevent unauthorized remote connections.

Additionally, upgrade Ghidra to version 12.2 or later, where this vulnerability has been addressed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52756. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart