CVE-2026-56815
Deferred Deferred - Pending Action
Symlink Following in pwnlift Upload Handler

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: MITRE

Description
pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56815
EUVD
EUVD-2026-38454
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rasta-mouse pwnlift *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56815 is a vulnerability in the pwnlift application, specifically in its file upload handler located in Components/Pages/Home.razor. The issue arises from the application following symbolic links (symlinks) improperly when determining where to save uploaded files. This allows an attacker to exploit the upload functionality to write files to arbitrary locations on the system if the application is running with elevated privileges.

The vulnerability involves a symlink following flaw (CWE-59) combined with a Time-of-Check to Time-of-Use (TOCTOU) race condition (CWE-367). The upload handler originally constructed file paths based on the current working directory without properly validating or canonicalizing paths, allowing attackers to bypass intended directory restrictions.

The fix involved anchoring the upload directory to the application install directory, checking for symlinks and disabling uploads if detected, resolving full canonical paths, and validating that uploaded files remain within the intended directory to prevent path traversal attacks.

Impact Analysis

If you run pwnlift with elevated privileges (such as root), this vulnerability allows a local attacker to write arbitrary files anywhere on the system. This can lead to unauthorized modification or creation of critical system files.

Such unauthorized file writes can compromise system integrity, potentially allowing privilege escalation, persistent backdoors, or disruption of normal system operations.

The vulnerability is especially dangerous in privileged deployments where the application runs as root without proper directory restrictions.

Detection Guidance

This vulnerability involves a symlink following issue in the upload handler of pwnlift when running with elevated privileges. Detection involves checking if the upload directory or its path components are symbolic links (reparse points) and verifying if the application is running with elevated privileges without proper path validation.

You can detect potential exploitation or presence of this vulnerability by inspecting the upload directory for symbolic links and checking the running process privileges.

  • Check if the upload directory is a symbolic link: `ls -ld /path/to/upload/directory`
  • Find symbolic links within the upload directory: `find /path/to/upload/directory -type l`
  • Check the current working directory of the running pwnlift process: `ls -l /proc/$(pidof pwnlift)/cwd`
  • Verify if pwnlift is running with elevated privileges (e.g., as root): `ps aux | grep pwnlift`
  • Monitor file writes to sensitive locations that could indicate exploitation attempts, for example using auditd or inotify tools.
Mitigation Strategies

Immediate mitigation steps focus on preventing the exploitation of the symlink following and TOCTOU race condition vulnerabilities in the pwnlift upload handler.

  • Apply the upstream patch that anchors the upload root directory to the application install directory and enforces path containment to prevent path traversal.
  • Ensure the upload directory is not a symbolic link and disable uploads if a symlink is detected.
  • Avoid running pwnlift with elevated privileges (such as root) or remove privileged sudo entries that allow running pwnlift as root.
  • Verify and enforce proper ownership and permissions on the upload directory and related files.
  • Update your deployment to use the fixed version of pwnlift that includes the security improvements described.
Compliance Impact

CVE-2026-56815 allows a local user to write arbitrary files as root due to a symlink following vulnerability and a TOCTOU race condition in the upload handler of pwnlift when running with elevated privileges.

This vulnerability could lead to unauthorized modification or creation of files on the system, potentially compromising the confidentiality, integrity, and availability of sensitive data.

Such unauthorized access and file manipulation may violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over data protection, integrity, and access.

Specifically, the ability to write arbitrary files as root could result in data breaches or unauthorized data alteration, undermining regulatory obligations to protect personal and health information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56815. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart