Executive Summary

CVE-2026-55477 is a vulnerability in the 3X-UI web control panel for managing Xray-core servers, affecting versions up to 3.3.0. An authenticated administrator can exploit the database import functionality to perform arbitrary file writes on the host system by modifying Xray configuration values stored in the database.

Specifically, the attacker can change the log file path configuration to point to an arbitrary file. By injecting controlled content into a client's email field and triggering a connection, the attacker forces Xray to write this content to the specified file. This allows arbitrary file write as the user running Xray, potentially leading to code execution and persistent access.

If Xray runs with root privileges, the attacker can gain root-level access. The vulnerability is fixed in version 3.3.1 by restricting log paths to the panel's log folder to prevent path traversal.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated administrator to achieve arbitrary file write on the host system, potentially leading to code execution and persistent access, including root access if the Xray service runs with elevated privileges.

Such unauthorized access and potential data manipulation or exposure could lead to violations of common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and system security.

If exploited, this vulnerability could result in unauthorized access to sensitive data or system components, thereby compromising compliance with these regulations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution and persistent access on the host system running Xray-core servers.

An attacker with authenticated administrator access can write arbitrary files, potentially injecting malicious code that runs with the privileges of the Xray process.

If Xray is running as root, the attacker can gain root-level control over the system, leading to full system compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthorized modifications to the Xray configuration values stored in the database, especially the `xrayTemplateConfig.log.access` path which may be altered to point to arbitrary files.

One approach is to audit the database entries related to Xray configuration for suspicious or unexpected file paths.

Additionally, monitoring for unusual file writes or new files created by the Xray process outside of its normal log directory can indicate exploitation attempts.

• Use database query commands to inspect the configuration values, for example, if using SQLite: `sqlite3 /path/to/3x-ui/database.db "SELECT * FROM configurations WHERE key LIKE '%log.access%';"`
• Check for recently modified files by the Xray user outside the expected log folder: `find / -user xray -mtime -7 -type f`
• Review Xray process logs and system logs for suspicious activity or errors related to file writes.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the 3X-UI software to version 3.3.1 or later, where the vulnerability has been fixed by restricting log paths to the panel's log folder.

Until the upgrade can be performed, restrict access to the 3X-UI control panel to trusted administrators only, as the vulnerability requires authenticated administrator privileges.

Audit and revert any unauthorized changes to the Xray configuration values in the database, especially those related to log file paths.

Monitor the system for suspicious file writes or unexpected behavior from the Xray process.

Useful 0 Not Useful 0