CVE-2026-28807 Overview
CVE-2026-28807 is a path traversal vulnerability (CWE-22) in the gleam-wisp wisp web framework that allows unauthenticated attackers to read arbitrary files from the server through percent-encoded path traversal sequences. The vulnerability exists in the wisp.serve_static function, which performs path sanitization before URL percent-decoding, allowing attackers to bypass security controls using encoded directory traversal sequences.
Critical Impact
An unauthenticated attacker can read any file readable by the application process in a single HTTP request, including application source code, configuration files, secrets, and system files.
Affected Products
- gleam-wisp wisp versions 2.1.1 through 2.2.0
Discovery Timeline
- 2026-03-10 - CVE-2026-28807 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-28807
Vulnerability Analysis
This path traversal vulnerability stems from a classic order-of-operations flaw in input validation. The wisp.serve_static function is designed to prevent directory traversal attacks by sanitizing path components, specifically filtering out .. sequences that could allow an attacker to navigate outside the intended directory. However, the sanitization logic executes before the URL percent-decoding step, creating a critical security gap.
When an attacker sends a request containing percent-encoded path traversal sequences such as %2e%2e (the encoded form of ..), the sanitization routine using string.replace examines the raw encoded string and finds no literal .. characters to remove. Subsequently, uri.percent_decode processes the path and converts %2e%2e back to .., which the operating system then interprets as a legitimate directory traversal command when resolving the file path.
The vulnerability can be exploited with a single unauthenticated HTTP request, requiring no special access or privileges. Attackers can construct malicious URLs targeting sensitive files such as /etc/passwd, application configuration files containing database credentials, API keys, or any other files readable by the application process.
Root Cause
The root cause is improper sequencing of security controls in the wisp.serve_static function. Path sanitization runs on URL-encoded input before percent-decoding occurs, allowing encoded traversal sequences (%2e%2e) to bypass the string.replace sanitization. After decoding, these sequences become valid .. directory traversal instructions that the operating system processes during file access operations.
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker can craft a malicious HTTP request to any endpoint using wisp.serve_static with a path containing percent-encoded traversal sequences. For example, a request to /static/%2e%2e/%2e%2e/%2e%2e/etc/passwd would bypass the sanitization filter and resolve to /etc/passwd on Unix-based systems.
The attack requires no user interaction and can be executed in a single HTTP request. Successful exploitation grants read access to any file on the filesystem that the application process has permissions to read.
Detection Methods for CVE-2026-28807
Indicators of Compromise
- HTTP requests to static file endpoints containing %2e%2e or other percent-encoded traversal sequences
- Web server access logs showing requests attempting to access files outside expected static directories
- Unusual file access patterns in application logs, particularly targeting sensitive system files like /etc/passwd, /etc/shadow, or application configuration files
- HTTP requests with abnormally long paths containing multiple encoded traversal sequences
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block percent-encoded path traversal patterns including %2e%2e, %2f, and %5c sequences
- Configure IDS/IPS signatures to alert on HTTP requests containing encoded directory traversal attempts
- Implement application-layer logging to track all file access requests through wisp.serve_static endpoints
- Monitor for responses returning content from unexpected file types or paths that indicate successful traversal
Monitoring Recommendations
- Enable detailed access logging on all web servers running vulnerable wisp applications
- Set up automated alerting for HTTP requests containing common encoded traversal patterns
- Monitor application process file access using system auditing tools to detect reads of sensitive files
- Establish baseline patterns for normal static file access to identify anomalous requests
How to Mitigate CVE-2026-28807
Immediate Actions Required
- Upgrade gleam-wisp wisp to version 2.2.1 or later immediately
- Review application logs for evidence of exploitation attempts using encoded path traversal sequences
- Audit any files that may have been accessed through this vulnerability, particularly configuration files and secrets
- Rotate any credentials or API keys that may have been exposed through arbitrary file read
Patch Information
The vulnerability has been addressed in wisp version 2.2.1. The fix ensures that percent-decoding occurs before path sanitization, preventing encoded traversal sequences from bypassing security controls. The patch commit is available at the GitHub commit. For additional details, refer to the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, consider disabling or removing the wisp.serve_static functionality and serving static files through a reverse proxy such as nginx or Apache
- Implement a web application firewall rule to block requests containing percent-encoded path traversal patterns before they reach the application
- Restrict the application process filesystem permissions to limit the impact of potential file read attacks
- Deploy network-level controls to restrict access to affected endpoints until patching can be completed
# Example: Update wisp package to patched version
gleam update wisp@2.2.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
