Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1776

CVE-2026-1776: Camaleon CMS Path Traversal Vulnerability

CVE-2026-1776 is a path traversal vulnerability in Camaleon CMS that allows authenticated users to read arbitrary files on servers using AWS S3 storage. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-1776 Overview

CVE-2026-1776 is a path traversal vulnerability in Camaleon CMS versions 2.4.5.0 through 2.9.0, fixed in commit f54a77e. The flaw resides in the download_private_file functionality when the application uses the CamaleonCmsAwsUploader backend. Unlike the local uploader, the AWS S3 uploader does not validate paths with valid_folder_path?, allowing directory traversal sequences in the file parameter. Authenticated users, including low-privileged registered accounts, can read arbitrary files from the web server filesystem, such as /etc/passwd. This vulnerability bypasses the incomplete fix for CVE-2024-46987.

Critical Impact

Authenticated low-privileged users can read sensitive files from the server filesystem, exposing credentials, configuration data, and system information.

Affected Products

  • Tuzitio Camaleon CMS versions 2.4.5.0 through 2.9.0
  • Deployments configured with the CamaleonCmsAwsUploader backend
  • Installations prior to commit f54a77e2a7be601215ea1b396038c589a0cab9af

Discovery Timeline

  • 2026-03-10 - CVE-2026-1776 published to NVD
  • 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-1776

Vulnerability Analysis

The vulnerability is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory. Camaleon CMS exposes a download_private_file action intended to serve user-uploaded private content. When the AWS S3 uploader backend is enabled, the handler accepts a file parameter and returns the corresponding file contents.

The local uploader implementation routes the requested path through a valid_folder_path? check that constrains access to the designated uploads directory. The AWS uploader code path omits this validation entirely. Attackers supply directory traversal sequences such as ../../../../etc/passwd to escape the intended storage scope and reach files on the underlying server filesystem.

Exploitation requires only an authenticated session. Camaleon CMS deployments that permit self-registration expose this functionality to any visitor who creates an account. The attacker reads system files, application configuration, secrets, and credentials, which often enables follow-on compromise.

Root Cause

The root cause is missing path validation in the AWS S3 uploader branch of download_private_file. The fix in commit f54a77e applies the same valid_folder_path? check used by the local uploader, rejecting traversal sequences before file retrieval.

Attack Vector

The attack vector is network-based and requires low privileges. An authenticated user issues an HTTP request to the private file download endpoint with a crafted file parameter containing ../ sequences. The server resolves the path relative to the storage root and returns the contents of the target file. No user interaction is required beyond the attacker's own request.

The vulnerability does not affect deployments that exclusively use the local uploader backend.

Detection Methods for CVE-2026-1776

Indicators of Compromise

  • HTTP requests to download_private_file endpoints containing ../ or URL-encoded %2e%2e%2f sequences in the file parameter
  • Unexpected access patterns from low-privileged or newly registered user accounts targeting private file endpoints
  • Web server responses returning non-upload file content such as /etc/passwd, .env, or Rails configuration files

Detection Strategies

  • Review Rails application logs for download_private_file requests with suspicious file parameter values
  • Inspect reverse proxy and web server access logs for traversal patterns directed at Camaleon CMS routes
  • Correlate authenticated session activity with anomalous file download volumes from non-administrative users

Monitoring Recommendations

  • Enable verbose request logging on Camaleon CMS routes handling private file downloads
  • Deploy a web application firewall rule set that blocks directory traversal payloads in query parameters and POST bodies
  • Monitor account creation events and flag new accounts that immediately access download endpoints

How to Mitigate CVE-2026-1776

Immediate Actions Required

  • Upgrade Camaleon CMS to a version that includes commit f54a77e2a7be601215ea1b396038c589a0cab9af or later
  • Audit user accounts and disable self-registration if it is not required for business operations
  • Review web server and application logs for prior exploitation indicators targeting download_private_file

Patch Information

The fix is applied in commit f54a77e and merged via pull request #1127. The patch adds the valid_folder_path? check to the AWS S3 uploader branch, aligning its behavior with the local uploader. Additional context is available in the VulnCheck advisory.

Workarounds

  • Temporarily switch from the CamaleonCmsAwsUploader backend to the local uploader, which performs path validation
  • Restrict access to authenticated download endpoints using reverse proxy rules that reject ../ sequences
  • Run the application process under a least-privilege account that cannot read sensitive system files such as /etc/passwd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne