CVE-2026-30345 Overview
A zip slip vulnerability has been identified in the Admin import functionality of CTFd version 3.8.1-18-gdb5a18c4. This path traversal flaw allows attackers to write arbitrary files outside the intended directories by supplying a crafted import archive. The vulnerability stems from improper validation of file paths within imported ZIP archives, enabling directory traversal sequences to escape the extraction directory.
Critical Impact
Attackers with administrative access can leverage this vulnerability to write malicious files to arbitrary locations on the server, potentially achieving remote code execution by overwriting critical application files or placing webshells in accessible directories.
Affected Products
- CTFd version 3.8.1-18-gdb5a18c4
- CTFd versions prior to 3.8.2
Discovery Timeline
- 2026-03-18 - CVE-2026-30345 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-30345
Vulnerability Analysis
This vulnerability falls under CWE-23 (Relative Path Traversal), commonly referred to as "Zip Slip." The flaw exists in CTFd's Admin import functionality, which processes uploaded ZIP archives containing CTF challenge data, configurations, and related files. When the application extracts files from a crafted archive, it fails to properly sanitize or validate the file paths embedded within the archive entries.
The attack exploits the fundamental trust placed in archive file paths. A malicious archive can contain entries with path traversal sequences (such as ../) that, when extracted, cause files to be written outside the intended extraction directory. This can result in overwriting sensitive application files, configuration files, or placing malicious scripts in web-accessible directories.
Root Cause
The root cause is insufficient input validation during ZIP archive extraction in the Admin import workflow. When processing archive entries, the application does not properly validate that the resolved destination path remains within the intended extraction directory. This allows specially crafted archive entries containing path traversal sequences like ../../../etc/passwd or ../../../app/routes.py to write files to arbitrary locations on the filesystem.
Attack Vector
The attack requires network access to the CTFd instance and administrative privileges to access the import functionality. An attacker would craft a malicious ZIP archive containing entries with path traversal sequences in their filenames. Upon uploading this archive through the Admin import feature, the vulnerable extraction routine writes files to locations outside the designated import directory.
The vulnerability enables attackers to overwrite application source files with malicious code, place backdoor scripts in web-accessible directories, modify configuration files to weaken security controls, or corrupt critical system files leading to denial of service.
Detection Methods for CVE-2026-30345
Indicators of Compromise
- Unexpected files appearing in CTFd application directories or parent directories after admin import operations
- Web server logs showing access to newly created files outside the standard CTFd structure
- Modified timestamps on critical application files such as routes.py, __init__.py, or configuration files
- Presence of unfamiliar .py, .html, or .php files in web-accessible directories
Detection Strategies
- Monitor file system changes in CTFd installation directories and parent paths using file integrity monitoring (FIM) tools
- Implement logging for all admin import operations and review logs for suspicious activity patterns
- Deploy web application firewalls (WAF) with rules to inspect uploaded archive contents for path traversal patterns
- Configure intrusion detection systems to alert on file creation events in sensitive directories following admin operations
Monitoring Recommendations
- Enable detailed audit logging for the CTFd Admin panel, particularly for import and export operations
- Monitor process execution and file write events associated with the CTFd application user account
- Establish baseline file checksums for critical application files and alert on unauthorized modifications
- Review admin user activity logs for unusual import patterns or imports from untrusted sources
How to Mitigate CVE-2026-30345
Immediate Actions Required
- Upgrade CTFd to version 3.8.2 or later, which addresses this vulnerability
- Restrict admin panel access to trusted users only until patching is complete
- Review recent admin import activity logs for any suspicious imports
- Perform file integrity checks on the CTFd installation to identify any unauthorized file modifications
Patch Information
CTFd has released version 3.8.2 which addresses this zip slip vulnerability. Administrators should update their CTFd installations immediately. The patch release is documented on the CTFd Blog Update page. Additional information can be found in the GitHub CTFd Repository and the GitHub Security Policy.
A proof-of-concept demonstrating the vulnerability is available at GitHub PoC for CVE-2026-30345.
Workarounds
- Disable or restrict access to the Admin import functionality until the patch can be applied
- Implement network-level access controls to limit admin panel access to trusted IP addresses only
- Deploy a reverse proxy with request inspection to block uploads containing suspicious archive filenames
- Run CTFd with minimal filesystem permissions to limit the impact of arbitrary file writes
- Consider running CTFd in a containerized environment with read-only filesystem mounts for critical directories
# Restrict admin panel access via reverse proxy (nginx example)
location /admin {
allow 10.0.0.0/8;
deny all;
proxy_pass http://ctfd_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
