CVE-2026-16209
Received Received - Intake

Authentication Bypass in Gerapy via Project Upload

Vulnerability report for CVE-2026-16209, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability has been found in Gerapy up to 0.9.13. The impacted element is an unknown function of the file gerapy/server/core/views.py of the component Project Upload Endpoint. Such manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is bd4891c60315f17611a3b7a651ffe0fba7cfe71e. Applying a patch is advised to resolve this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gerapy gerapy to 0.9.13 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16209 is a vulnerability in Gerapy versions up to 0.9.13 affecting the project_upload endpoint in gerapy/server/core/views.py. The issue involves missing authentication due to a commented-out decorator and a Zip Slip vulnerability. Attackers can upload malicious ZIP files without authentication, leading to arbitrary file writes and potential remote code execution.

Detection Guidance

Check Gerapy server logs for unauthorized POST requests to /api/project/upload without authentication. Inspect uploaded ZIP files for path traversal sequences like ../../.. in filenames. Verify if files are extracted outside the PROJECTS_FOLDER directory.

Impact Analysis

This vulnerability allows remote attackers to upload arbitrary files without authentication. It can lead to unauthorized file writes, overwriting existing project files, injecting malicious Scrapy projects, or executing arbitrary code on the server. Attackers could gain control over deployed crawlers or manipulate system behavior.

Compliance Impact

This vulnerability allows unauthenticated arbitrary file uploads and path traversal, which could lead to unauthorized access to sensitive data or system files. For GDPR, this may violate principles of data protection and integrity, potentially resulting in unauthorized data exposure or processing. For HIPAA, it could compromise protected health information by allowing unauthorized file writes or code execution on systems handling such data.

Mitigation Strategies

Apply the patch bd4891c60315f17611a3b7a651ffe0fba7cfe71e to restore authentication and validate ZIP file paths. Ensure the @permission_classes([IsAuthenticated]) decorator is enabled in gerapy/server/core/views.py. Monitor for unauthorized upload attempts and block malicious ZIP files containing path traversal sequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart