CVE-2026-3187: Sz-boot-parent RCE Vulnerability

CVE-2026-3187 Overview

A critical unrestricted file upload vulnerability has been identified in feiyuchuixue sz-boot-parent versions up to 1.3.2-beta. This vulnerability affects the /api/admin/sys-file/upload API endpoint, allowing authenticated attackers to upload arbitrary files without proper validation of file types or extensions. The flaw stems from missing file type restrictions, potentially enabling attackers to upload malicious executable files or web shells to the server.

Critical Impact
Authenticated attackers can remotely upload arbitrary files to the server through the vulnerable API endpoint, potentially leading to remote code execution, web shell deployment, or server compromise.

Affected Products

szadmin sz-boot-parent version 1.0.0-beta through 1.3.2-beta
All beta releases prior to version 1.3.3-beta
Systems utilizing the /api/admin/sys-file/upload endpoint without additional security controls

Discovery Timeline

2026-02-25 - CVE-2026-3187 published to NVD
2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-3187

Vulnerability Analysis

This vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-284 (Improper Access Control). The vulnerable component is the file upload API endpoint located at /api/admin/sys-file/upload. Prior to the security patch, the endpoint accepted file uploads without validating the file extension or MIME type, allowing attackers to bypass intended restrictions and upload potentially malicious files.

The attack can be launched remotely by any authenticated user with access to the admin API. Since the exploit details have been publicly disclosed, the risk of exploitation is elevated for unpatched systems. The vendor responded professionally when notified and implemented whitelist-based file validation using the oss.allowedExts and oss.allowedMimeTypes configuration options.

Root Cause

The root cause of this vulnerability is the absence of file type validation in the upload handler. The original implementation accepted any file uploaded to the /api/admin/sys-file/upload endpoint without checking:

File extension against an allowlist of permitted types
MIME type validation to ensure content matches declared type
Magic byte verification to prevent extension spoofing

This lack of validation allowed attackers to upload dangerous file types such as executable scripts, web shells, or other malicious content that could be executed by the server.

Attack Vector

The vulnerability is exploitable over the network by authenticated users. An attacker with valid credentials can craft a malicious HTTP POST request to the vulnerable endpoint, uploading files with dangerous extensions (e.g., .jsp, .php, .exe). The security patch introduces whitelist restrictions as shown in the following code changes:

java

    EXISTS(1001, "已存在"),
    NOT_EXISTS(1002, "不存在"),
    FILE_NOT_EXISTS(1003, "文件不存在"),
-    FILE_UPLOAD_EXT_ERROR(1004, "上传文件类型错误"),
+    FILE_UPLOAD_EXT_ERROR(1004, "文件类型不被允许，请检查文件扩展名和MIME类型"),
    FILE_UPLOAD_SIZE_ERROR(1005, "上传文件大小不能超过10MB"),
    FILE_UPLOAD_ERROR(1006, "上传文件失败"),
    USERNAME_EXISTS(1007, "用户名已存在"),

Source: GitHub Commit Details

The patch also introduces additional validation utilities:

java

package com.sz.core.util;

+import com.sz.core.common.enums.CommonResponseEnum;
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.util.DigestUtils;
import org.springframework.web.multipart.MultipartFile;

Source: GitHub Commit Details

Detection Methods for CVE-2026-3187

Indicators of Compromise

Unusual file uploads to the /api/admin/sys-file/upload endpoint with suspicious extensions (.jsp, .php, .exe, .sh)
Web server logs showing POST requests to the upload endpoint with non-standard Content-Type headers
Presence of unexpected executable or script files in upload directories
Anomalous outbound connections from the web server following file uploads

Detection Strategies

Monitor HTTP traffic for POST requests to /api/admin/sys-file/upload containing potentially malicious file extensions
Implement file integrity monitoring on upload directories to detect unauthorized file additions
Review web application firewall logs for blocked or suspicious upload attempts
Analyze authentication logs for accounts frequently accessing the file upload functionality

Monitoring Recommendations

Enable detailed logging for all file upload API endpoints including file names, sizes, and MIME types
Configure alerts for uploads of executable file types or files with double extensions
Implement real-time monitoring of file system changes in directories where uploads are stored
Regularly audit uploaded files for suspicious content or unexpected file types

How to Mitigate CVE-2026-3187

Immediate Actions Required

Upgrade sz-boot-parent to version 1.3.3-beta or later immediately
Review upload directories for any suspicious files that may have been uploaded prior to patching
Configure oss.allowedExts and oss.allowedMimeTypes settings to restrict permitted file types
Implement additional network-level controls to limit access to admin API endpoints

Patch Information

The vulnerability has been addressed in sz-boot-parent version 1.3.3-beta. The security patch (commit hash aefaabfd7527188bfba3c8c9eee17c316d094802) introduces whitelist-based validation for file uploads. The fix implements:

Extension whitelist via oss.allowedExts configuration option
MIME type validation through oss.allowedMimeTypes configuration
Enhanced error messaging for rejected file uploads

For detailed patch information, refer to the GitHub Commit Details and the v1.3.3-beta Release.

Workarounds

Disable the /api/admin/sys-file/upload endpoint if file upload functionality is not required
Implement a reverse proxy or WAF rule to block upload requests with dangerous file extensions
Restrict network access to admin API endpoints to trusted IP ranges only
Apply server-side file type validation at the web server level (e.g., Apache, Nginx configuration)

bash

# Example: Configure allowed extensions in application configuration
oss.allowedExts=jpg,jpeg,png,gif,pdf,doc,docx,xls,xlsx
oss.allowedMimeTypes=image/jpeg,image/png,image/gif,application/pdf,application/msword

CVE-2026-3187 Overview

Critical Impact
Authenticated attackers can remotely upload arbitrary files to the server through the vulnerable API endpoint, potentially leading to remote code execution, web shell deployment, or server compromise.

Affected Products

szadmin sz-boot-parent version 1.0.0-beta through 1.3.2-beta
All beta releases prior to version 1.3.3-beta
Systems utilizing the /api/admin/sys-file/upload endpoint without additional security controls

Discovery Timeline

2026-02-25 - CVE-2026-3187 published to NVD
2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-3187

Vulnerability Analysis

Root Cause

File extension against an allowlist of permitted types
MIME type validation to ensure content matches declared type
Magic byte verification to prevent extension spoofing

This lack of validation allowed attackers to upload dangerous file types such as executable scripts, web shells, or other malicious content that could be executed by the server.

Attack Vector

java

    EXISTS(1001, "已存在"),
    NOT_EXISTS(1002, "不存在"),
    FILE_NOT_EXISTS(1003, "文件不存在"),
-    FILE_UPLOAD_EXT_ERROR(1004, "上传文件类型错误"),
+    FILE_UPLOAD_EXT_ERROR(1004, "文件类型不被允许，请检查文件扩展名和MIME类型"),
    FILE_UPLOAD_SIZE_ERROR(1005, "上传文件大小不能超过10MB"),
    FILE_UPLOAD_ERROR(1006, "上传文件失败"),
    USERNAME_EXISTS(1007, "用户名已存在"),

Source: GitHub Commit Details

The patch also introduces additional validation utilities:

java

package com.sz.core.util;

+import com.sz.core.common.enums.CommonResponseEnum;
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.util.DigestUtils;
import org.springframework.web.multipart.MultipartFile;

Source: GitHub Commit Details

Detection Methods for CVE-2026-3187

Indicators of Compromise

Unusual file uploads to the /api/admin/sys-file/upload endpoint with suspicious extensions (.jsp, .php, .exe, .sh)
Web server logs showing POST requests to the upload endpoint with non-standard Content-Type headers
Presence of unexpected executable or script files in upload directories
Anomalous outbound connections from the web server following file uploads

Detection Strategies

Monitor HTTP traffic for POST requests to /api/admin/sys-file/upload containing potentially malicious file extensions
Implement file integrity monitoring on upload directories to detect unauthorized file additions
Review web application firewall logs for blocked or suspicious upload attempts
Analyze authentication logs for accounts frequently accessing the file upload functionality

Monitoring Recommendations

Enable detailed logging for all file upload API endpoints including file names, sizes, and MIME types
Configure alerts for uploads of executable file types or files with double extensions
Implement real-time monitoring of file system changes in directories where uploads are stored
Regularly audit uploaded files for suspicious content or unexpected file types

How to Mitigate CVE-2026-3187

Immediate Actions Required

Upgrade sz-boot-parent to version 1.3.3-beta or later immediately
Review upload directories for any suspicious files that may have been uploaded prior to patching
Configure oss.allowedExts and oss.allowedMimeTypes settings to restrict permitted file types
Implement additional network-level controls to limit access to admin API endpoints

Patch Information

Extension whitelist via oss.allowedExts configuration option
MIME type validation through oss.allowedMimeTypes configuration
Enhanced error messaging for rejected file uploads

For detailed patch information, refer to the GitHub Commit Details and the v1.3.3-beta Release.

Workarounds

Disable the /api/admin/sys-file/upload endpoint if file upload functionality is not required
Implement a reverse proxy or WAF rule to block upload requests with dangerous file extensions
Restrict network access to admin API endpoints to trusted IP ranges only
Apply server-side file type validation at the web server level (e.g., Apache, Nginx configuration)

bash

# Example: Configure allowed extensions in application configuration
oss.allowedExts=jpg,jpeg,png,gif,pdf,doc,docx,xls,xlsx
oss.allowedMimeTypes=image/jpeg,image/png,image/gif,application/pdf,application/msword

CVE-2026-3187: Sz-boot-parent RCE Vulnerability

CVE-2026-3187 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-3187

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-3187

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-3187

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-3187: Sz-boot-parent RCE Vulnerability

CVE-2026-3187 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-3187

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-3187

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-3187

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform