The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22786

CVE-2026-22786: Gin-vue-admin Path Traversal Vulnerability

CVE-2026-22786 is a path traversal flaw in Gin-vue-admin that enables attackers to upload files to arbitrary directories. This article covers the technical details, affected versions, impact, and mitigation strategies.

Updated: January 22, 2026

CVE-2026-22786 Overview

Gin-vue-admin is a backstage management system based on Vue and Gin. A path traversal vulnerability exists in Gin-vue-admin versions up to and including v2.8.7 within the breakpoint resume upload functionality. This vulnerability allows attackers with file upload privileges to upload arbitrary files to any directory on the server, potentially leading to remote code execution or complete system compromise.

Critical Impact

Authenticated attackers can exploit the path traversal vulnerability to upload malicious files (such as webshells) to arbitrary directories, potentially achieving remote code execution on the target server.

Affected Products

  • Gin-vue-admin <= v2.8.7
  • Systems using the breakpoint resume upload functionality via /fileUploadAndDownload/breakpointContinueFinish API endpoint

Discovery Timeline

  • 2026-01-12 - CVE-2026-22786 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2026-22786

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The vulnerability resides in the breakpoint_continue.go file where the MakeFile function processes user-supplied fileName parameters from the /fileUploadAndDownload/breakpointContinueFinish API endpoint.

The core issue stems from insufficient input validation when constructing file paths. The vulnerable code directly concatenates user-controlled input with the base directory path (./fileDir/) using os.OpenFile() without sanitizing or validating the input for directory traversal sequences such as ../. This allows an authenticated attacker to escape the intended upload directory and write files to arbitrary locations on the filesystem.

Root Cause

The root cause is the absence of input validation for path traversal sequences in the fileName parameter before it is concatenated with the base directory path. When user input containing sequences like ../ is processed without sanitization, the resulting file path can reference directories outside the intended ./fileDir/ upload location. This is a classic case of improper input validation leading to path traversal exploitation.

Attack Vector

The attack requires network access and authenticated privileges (file upload permissions). An attacker can craft a malicious request to the /fileUploadAndDownload/breakpointContinueFinish endpoint with a fileName parameter containing directory traversal sequences. For example, a filename like ../../../etc/cron.d/malicious could allow writing files to system directories, while ../../../var/www/html/shell.php could place a webshell in a web-accessible location.

The security patch was released in version v2.8.8. Below is an excerpt from the commit that addresses the vulnerability:

go
 	}
 	response.OkWithMessage("文件变更成功", c)
 }

+// InitDictionary
+// @Tags      AutoCodePlugin
+// @Summary   打包插件
+// @Security  ApiKeyAuth
+// @accept    application/json
+// @Produce   application/json
+// @Success   200   {object}  response.Response{data=map[string]interface{},msg=string}  "打包插件成功"
+// @Router    /autoCode/initDictionary [post]
+func (a *AutoCodePluginApi) InitDictionary(c *gin.Context) {
+	var dictInfo request.InitDictionary
+	err := c.ShouldBindJSON(&dictInfo)
+	if err != nil {
+		response.FailWithMessage(err.Error(), c)
+		return
+	}
+	err = autoCodePluginService.InitDictionary(dictInfo)
+	if err != nil {
+		global.GVA_LOG.Error("创建初始化Dictionary失败!", zap.Error(err))
+		response.FailWithMessage("创建初始化Dictionary失败"+err.Error(), c)
+		return
+	}
+	response.OkWithMessage("文件变更成功", c)
+}

Source: GitHub Commit Update

Detection Methods for CVE-2026-22786

Indicators of Compromise

  • HTTP requests to /fileUploadAndDownload/breakpointContinueFinish containing ../ or URL-encoded variants (%2e%2e%2f, %2e%2e/) in the fileName parameter
  • Unexpected files appearing in directories outside of ./fileDir/ on the server
  • Web server logs showing unusual file upload requests with path manipulation attempts
  • New or modified files in sensitive system directories such as /etc/, /var/www/, or application configuration paths

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block requests containing path traversal sequences (../, ..\\, encoded variants)
  • Monitor file system integrity on the server using tools like AIDE or Tripwire to detect unauthorized file modifications
  • Configure application-level logging to capture all file upload requests and their parameters for forensic analysis
  • Deploy network intrusion detection systems (IDS) with signatures for path traversal attack patterns

Monitoring Recommendations

  • Enable verbose logging for the Gin-vue-admin application, particularly for the file upload module
  • Set up real-time alerts for file creation events outside designated upload directories
  • Monitor authenticated user sessions for anomalous file upload activity patterns
  • Implement centralized log aggregation to correlate file upload requests with file system changes

How to Mitigate CVE-2026-22786

Immediate Actions Required

  • Upgrade Gin-vue-admin to version v2.8.8 or later immediately
  • Review server file systems for any unauthorized files that may have been uploaded through this vulnerability
  • Audit application logs for signs of exploitation attempts against the /fileUploadAndDownload/breakpointContinueFinish endpoint
  • Restrict file upload privileges to only essential users until the patch is applied

Patch Information

The vulnerability has been addressed in Gin-vue-admin version v2.8.8. The fix is available through the GitHub Commit Update. For complete details about this security issue, refer to the GitHub Security Advisory GHSA-3558.

Workarounds

  • Implement input validation at the reverse proxy or WAF level to strip path traversal sequences from file upload requests
  • Temporarily disable the breakpoint resume upload functionality by restricting access to the /fileUploadAndDownload/breakpointContinueFinish endpoint
  • Use container isolation or chroot environments to limit the impact of potential file writes outside intended directories
bash
# Example: Nginx configuration to block path traversal attempts
location /fileUploadAndDownload/breakpointContinueFinish {
    # Block requests containing path traversal sequences
    if ($request_body ~* "\.\./") {
        return 403;
    }
    # Alternatively, restrict access until patched
    # deny all;
    proxy_pass http://gin-vue-admin-backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechGin Vue Admin
  • SeverityHIGH
  • CVSS Score7.3
  • EPSS Probability0.25%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-22
  • Technical References
  • GitHub Commit Update
  • GitHub Security Advisory GHSA-3558
  • Latest CVEs
  • CVE-2026-40322: SiYuan Knowledge Management RCE Vulnerability
  • CVE-2026-40318: SiYuan Path Traversal Vulnerability
  • CVE-2026-40259: SiYuan Auth Bypass Vulnerability
  • CVE-2026-40255: AdonisJS HTTP Server CSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English