CVE-2026-22249 Overview
CVE-2026-22249 is a critical Path Traversal vulnerability affecting Docmost, an open-source collaborative wiki and documentation software. The vulnerability exists in the Zip Import Feature and allows attackers to perform arbitrary file writes through a ZipSlip attack. Due to missing filename validation in apps/server/src/integrations/import/utils/file.utils.ts, malicious zip archives containing path traversal sequences can write files to arbitrary locations on the server filesystem.
Critical Impact
This vulnerability allows unauthenticated attackers to achieve arbitrary file write capabilities on the server, potentially leading to remote code execution through overwriting critical system files or application components.
Affected Products
- Docmost versions 0.21.0 through 0.23.x
- Docmost installations utilizing the Zip Import Feature
- Self-hosted Docmost deployments
Discovery Timeline
- 2026-01-15 - CVE CVE-2026-22249 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-22249
Vulnerability Analysis
The ZipSlip vulnerability in Docmost represents a classic case of insufficient input validation during archive extraction. When users import content via zip files, the application extracts the archive contents without validating the filenames for path traversal sequences such as ../. This allows attackers to craft malicious zip archives where filenames contain directory traversal sequences, enabling file writes outside the intended extraction directory.
The vulnerability is particularly severe because it requires no authentication and can be exploited remotely over the network. Successful exploitation could allow an attacker to overwrite application configuration files, inject malicious code into web-accessible directories, or replace system binaries to achieve remote code execution.
Root Cause
The root cause of this vulnerability lies in the file.utils.ts file located at apps/server/src/integrations/import/utils/file.utils.ts. The file extraction logic fails to validate or sanitize filenames extracted from zip archives. When processing zip entries, the application directly uses the filename from the archive without checking for path traversal sequences like ../ or absolute paths. This allows malicious archive entries to escape the intended extraction directory and write files to arbitrary locations on the filesystem.
Attack Vector
The attack vector is network-based and can be executed without authentication. An attacker crafts a malicious zip archive containing files with specially crafted filenames that include path traversal sequences (e.g., ../../../etc/cron.d/malicious). When a user or automated process imports this zip file through Docmost's import feature, the application extracts files to unintended locations on the server filesystem.
The attack sequence involves creating a zip archive with entries containing traversal paths, uploading the malicious archive through the Docmost import functionality, and waiting for the extraction process to write files outside the designated directory. Depending on the server configuration and file permissions, this could lead to configuration tampering, web shell deployment, or system compromise.
Detection Methods for CVE-2026-22249
Indicators of Compromise
- Unexpected files appearing in system directories outside Docmost's data directory
- Modified configuration files with recent timestamps that don't correspond to legitimate administrative activity
- Web shells or suspicious script files in web-accessible directories
- Anomalous zip file uploads containing unusual filename patterns with ../ sequences
Detection Strategies
- Monitor file system operations for writes outside the expected Docmost data directories during import operations
- Implement web application firewall (WAF) rules to inspect uploaded zip file contents for path traversal patterns
- Enable detailed logging for the Docmost import feature and review logs for unusual extraction patterns
- Deploy file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
Monitoring Recommendations
- Configure alerts for file creation events in sensitive directories such as /etc, web roots, and application directories
- Monitor Docmost application logs for import operations involving large numbers of files or unusual file paths
- Implement network traffic analysis to detect zip file uploads with anomalous internal structure
- Review periodic file system integrity checks for unexpected file additions or modifications
How to Mitigate CVE-2026-22249
Immediate Actions Required
- Upgrade Docmost to version 0.24.0 or later immediately
- Audit recently imported zip files and verify no unauthorized files were written to the system
- Review file system for any suspicious files that may have been written through exploitation
- Restrict access to the Docmost import feature until patching is complete
Patch Information
Docmost has released version 0.24.0 which addresses this vulnerability by implementing proper filename validation during zip extraction. The fix is available through the GitHub Security Advisory GHSA-54pm-hqxm-54wg and the specific commit c3b350d943108552e20654580005cd6f6c78ab05. Organizations should update to version 0.24.0 through the official release as soon as possible.
Workarounds
- Disable the zip import feature temporarily if upgrading is not immediately possible
- Implement network-level controls to restrict access to the import functionality to trusted users only
- Deploy a reverse proxy with content inspection to filter zip uploads containing path traversal patterns
- Run Docmost in a containerized environment with restricted filesystem access to limit the impact of potential exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
