CVE-2026-21857 Overview
CVE-2026-21857 is a path traversal vulnerability affecting REDAXO, a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon fails to validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories, allowing attackers to supply relative paths containing ../ sequences or absolute paths inside the document root to include any readable file in the generated .tar.gz archive.
Critical Impact
Authenticated attackers with backup permissions can exfiltrate sensitive files including configuration files, database credentials, and other confidential data stored within the webroot.
Affected Products
- REDAXO CMS versions prior to 5.20.2
- REDAXO Backup Addon (bundled component)
Discovery Timeline
- 2026-01-07 - CVE-2026-21857 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21857
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists within the Backup addon component of REDAXO CMS. The vulnerability arises from improper validation of user-supplied input in the file export functionality. When authenticated users with backup permissions initiate a backup export, the system accepts an EXPDIR POST parameter that specifies which directories to include in the backup archive.
The fundamental security flaw is that the application generates a UI-based allowlist of permitted directories for export operations, but the backend processing does not enforce this allowlist when handling the actual POST request. This disconnect between the frontend restrictions and backend validation creates an exploitable condition where attackers can bypass the intended directory restrictions.
Root Cause
The root cause of this vulnerability is insufficient input validation on the EXPDIR parameter within the Backup addon's export functionality. The application fails to sanitize path traversal sequences such as ../ from user input before using it to construct file paths for the backup archive. Additionally, the backend does not verify that the requested directory exists within the predefined allowlist of permitted directories that the UI presents to users.
Attack Vector
The attack is network-based and requires authentication with backup permissions. An attacker exploits this vulnerability by manipulating the EXPDIR POST parameter during a backup export request. By injecting path traversal sequences like ../ or by specifying absolute paths within the document root, the attacker can force the backup process to include arbitrary files from the webroot in the generated .tar.gz archive.
The attack sequence involves: authenticating to the REDAXO CMS with an account that has backup addon permissions, initiating a backup export operation, intercepting or crafting the POST request to modify the EXPDIR parameter with traversal sequences, and then downloading the resulting archive which contains the exfiltrated files.
Since no verified proof-of-concept code examples are available, refer to the GitHub Security Advisory for additional technical details on the exploitation mechanism.
Detection Methods for CVE-2026-21857
Indicators of Compromise
- Unexpected or anomalous backup archive generation requests in web server access logs
- POST requests to backup export endpoints containing ../ sequences or unusual directory paths in the EXPDIR parameter
- Backup archives containing files outside of normally permitted backup directories
- Unusual account activity from users with backup permissions accessing the Backup addon
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences (../, ..%2f, etc.) in POST request parameters
- Monitor application logs for backup export operations with parameters that deviate from the expected allowlist values
- Deploy file integrity monitoring on sensitive configuration files to detect unauthorized access attempts
- Review authentication logs for suspicious activity from accounts with elevated backup permissions
Monitoring Recommendations
- Enable detailed logging for all Backup addon operations within REDAXO CMS
- Configure alerting for any backup operations that include non-standard directory paths
- Implement user behavior analytics to detect anomalous patterns from accounts with backup permissions
- Regularly audit access permissions to ensure only necessary users have backup capabilities
How to Mitigate CVE-2026-21857
Immediate Actions Required
- Upgrade REDAXO CMS to version 5.20.2 or later immediately
- Review backup addon permissions and restrict access to only essential administrative accounts
- Audit recent backup operations and generated archives for signs of unauthorized file access
- Implement network segmentation to limit access to the CMS administrative interface
Patch Information
REDAXO has addressed this vulnerability in version 5.20.2. The fix implements proper server-side validation of the EXPDIR parameter against the permitted directory allowlist, preventing path traversal attacks. Administrators should upgrade to this version or later to remediate the vulnerability.
For detailed information about the fix, refer to the REDAXO 5.20.2 Release Notes.
Workarounds
- Temporarily disable the Backup addon if immediate patching is not possible
- Revoke backup permissions from all non-essential user accounts until the patch can be applied
- Implement additional WAF rules to filter and block path traversal patterns in requests to the backup functionality
- Restrict network access to the REDAXO administrative interface to trusted IP addresses only
# Example: Restrict access to REDAXO admin via Apache .htaccess
# Place in the redaxo/ directory
<IfModule mod_authz_core.c>
<Files "index.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Files>
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
