Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12198

CVE-2026-12198: Microweber Path Traversal Vulnerability

CVE-2026-12198 is a path traversal vulnerability in Microweber up to version 2.0.20 affecting the API endpoint. Attackers can remotely exploit this flaw to access unauthorized files. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-12198 Overview

CVE-2026-12198 is a path traversal vulnerability [CWE-22] affecting Microweber content management system versions up to 2.0.20. The flaw resides in the userfiles_path function within the /api_nosession/thumbnail_img API endpoint. An attacker can manipulate the cache_path_relative argument to traverse outside the intended directory and access files on the underlying file system. The vulnerability is exploitable remotely without authentication or user interaction. According to the disclosure, the exploit is publicly available, and the vendor did not respond to early notification.

Critical Impact

Unauthenticated remote attackers can traverse the file system through the cache_path_relative parameter, potentially exposing sensitive application or system files.

Affected Products

  • Microweber CMS versions up to and including 2.0.20
  • Component: API Endpoint /api_nosession/thumbnail_img
  • Function: userfiles_path

Discovery Timeline

  • 2026-06-15 - CVE-2026-12198 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-12198

Vulnerability Analysis

The vulnerability is a path traversal weakness in the Microweber application's image thumbnail API. The /api_nosession/thumbnail_img endpoint is reachable without an active session, exposing the function to anonymous network requests. The userfiles_path function consumes the cache_path_relative parameter and uses it to construct a file system path. Because the parameter is not properly normalized or constrained, an attacker can supply traversal sequences such as ../ to escape the intended user files directory.

This class of weakness is categorized under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory. Successful exploitation can disclose configuration files, application source, or other readable artifacts on the server. The disclosure indicates a public exploit exists, increasing opportunistic scanning risk.

Root Cause

The root cause is missing input validation and canonicalization on the cache_path_relative argument before it is concatenated into a file path. The endpoint also lacks session enforcement, removing an authentication barrier that would otherwise limit attacker access.

Attack Vector

An attacker sends a crafted HTTP request to the /api_nosession/thumbnail_img endpoint with a traversal payload in the cache_path_relative parameter. The attack requires no privileges and no user interaction. Refer to the Microweber Path Traversal Report and the VulDB CVE-2026-12198 entry for technical details.

Detection Methods for CVE-2026-12198

Indicators of Compromise

  • HTTP requests to /api_nosession/thumbnail_img containing ../ or URL-encoded equivalents (%2e%2e%2f, %2e%2e/) in the cache_path_relative parameter.
  • Web server access logs showing repeated probes against the /api_nosession/ path prefix from unauthenticated sources.
  • File read access patterns to sensitive files such as /etc/passwd, .env, or Microweber configuration files originating from the web application process.

Detection Strategies

  • Inspect web access logs for traversal patterns in query strings and POST bodies targeting the affected endpoint.
  • Deploy web application firewall (WAF) rules that flag directory traversal sequences in any parameter passed to Microweber API endpoints.
  • Correlate anomalous file reads by the PHP-FPM or web server process with inbound requests to /api_nosession/thumbnail_img.

Monitoring Recommendations

  • Enable verbose logging on the Microweber application and the fronting web server to capture full request parameters.
  • Forward web and file access telemetry to a centralized log platform for retroactive hunting against traversal indicators.
  • Alert on unauthenticated access to API endpoints under /api_nosession/ that read files outside the configured userfiles directory.

How to Mitigate CVE-2026-12198

Immediate Actions Required

  • Restrict network access to the Microweber administrative and API endpoints to trusted networks until a patched version is available.
  • Deploy WAF rules that reject requests containing path traversal sequences in the cache_path_relative parameter.
  • Audit web server logs for prior exploitation attempts against /api_nosession/thumbnail_img.

Patch Information

At the time of publication, the vendor had not responded to the disclosure and no official patch is referenced in the advisory. Monitor the Microweber GitHub repository and GitHub Issue #1172 for vendor updates and remediation commits.

Workarounds

  • Block external access to /api_nosession/thumbnail_img at the reverse proxy or WAF layer if the thumbnail functionality is not required.
  • Enforce strict file system permissions so the web server user cannot read sensitive files outside the Microweber web root.
  • Run the Microweber process in a chrooted or containerized environment to limit the scope of any successful traversal.
bash
# Example nginx rule to block traversal payloads on the affected endpoint
location /api_nosession/thumbnail_img {
    if ($args ~* "(\.\./|%2e%2e%2f|%2e%2e/)") {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.