CVE-2026-3188 Overview
A path traversal vulnerability has been discovered in feiyuchuixue sz-boot-parent up to version 1.3.2-beta. This security flaw affects the /api/admin/common/download/templates endpoint within the API component. By manipulating the templateName parameter, an authenticated attacker can traverse directory paths to read arbitrary files on the affected system. The vulnerability can be exploited remotely over the network, and exploit details have been publicly disclosed.
Critical Impact
Remote attackers with low privileges can exploit this path traversal vulnerability to read arbitrary resource files from the server, potentially exposing sensitive configuration data, credentials, or application source code.
Affected Products
- sz-boot-parent versions up to and including 1.3.2-beta
- Applications utilizing the /api/admin/common/download/templates API endpoint
- Systems exposing the vulnerable template download functionality
Discovery Timeline
- 2026-02-25 - CVE-2026-3188 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-3188
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the template download interface of sz-boot-parent. The application fails to properly validate the templateName parameter before using it to construct file paths for template downloads. An attacker can inject path traversal sequences (such as ../) into this parameter to escape the intended template directory and access arbitrary files on the server's filesystem.
The vulnerability requires network access and low-level authentication to exploit. While the attack complexity is low, the impact is primarily limited to confidentiality breaches through unauthorized file access. The vendor was notified prior to public disclosure and responded professionally by implementing path validity checks on the template download interface parameters.
Root Cause
The root cause of this vulnerability is insufficient input validation on the templateName parameter in the template download endpoint. The application did not sanitize or validate path components before file operations, allowing directory traversal sequences to escape the intended template directory. The absence of a whitelist approach for allowed template names and missing canonical path validation enabled this attack vector.
Attack Vector
The attack is executed remotely over the network by sending a crafted HTTP request to the /api/admin/common/download/templates endpoint. An authenticated attacker manipulates the templateName parameter with path traversal sequences to access files outside the designated template directory. This could allow reading of sensitive files such as configuration files containing database credentials, application properties, or other system files accessible to the application's runtime user.
The security patch implemented path validity checks to prevent these traversal attempts:
EXISTS(1001, "已存在"),
NOT_EXISTS(1002, "不存在"),
FILE_NOT_EXISTS(1003, "文件不存在"),
- FILE_UPLOAD_EXT_ERROR(1004, "上传文件类型错误"),
+ FILE_UPLOAD_EXT_ERROR(1004, "文件类型不被允许,请检查文件扩展名和MIME类型"),
FILE_UPLOAD_SIZE_ERROR(1005, "上传文件大小不能超过10MB"),
FILE_UPLOAD_ERROR(1006, "上传文件失败"),
USERNAME_EXISTS(1007, "用户名已存在"),
Source: GitHub Commit Details
The patch also added utility functions for path validation:
package com.sz.core.util;
+import com.sz.core.common.enums.CommonResponseEnum;
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.util.DigestUtils;
import org.springframework.web.multipart.MultipartFile;
Source: GitHub Commit Details
Detection Methods for CVE-2026-3188
Indicators of Compromise
- HTTP requests to /api/admin/common/download/templates containing path traversal sequences such as ../, ..%2f, or ..%5c in the templateName parameter
- Unusual file access patterns in application logs indicating attempts to read files outside the template directory
- Error responses or successful downloads of non-template files through the template download endpoint
- Web application firewall alerts for path traversal pattern matching on the affected endpoint
Detection Strategies
- Implement web application firewall rules to detect and block path traversal patterns in the templateName parameter
- Enable detailed logging for the template download endpoint and monitor for anomalous file access requests
- Deploy intrusion detection signatures to identify path traversal attack patterns targeting this specific API endpoint
- Review application access logs for requests containing encoded directory traversal sequences
Monitoring Recommendations
- Configure real-time alerting for any requests to /api/admin/common/download/templates containing suspicious path characters
- Monitor file system access logs for the application user to detect unauthorized file reads
- Establish baseline behavior for template download activity and alert on deviations
- Implement centralized log aggregation to correlate potential exploitation attempts across multiple instances
How to Mitigate CVE-2026-3188
Immediate Actions Required
- Upgrade sz-boot-parent to version 1.3.3-beta or later immediately
- If immediate upgrade is not possible, disable or restrict access to the /api/admin/common/download/templates endpoint
- Review application logs for signs of prior exploitation attempts
- Conduct a security assessment to identify any data that may have been accessed through this vulnerability
Patch Information
The vulnerability has been addressed in sz-boot-parent version 1.3.3-beta. The fix is available in commit aefaabfd7527188bfba3c8c9eee17c316d094802. The patch implements path validity checks on the template download interface parameters to prevent path traversal attacks. According to the vendor, "We have implemented path validity checks on parameters for the template download interface."
For detailed patch information, see the GitHub Release v1.3.3-beta or review the GitHub Commit Details.
Workarounds
- Implement a web application firewall rule to block requests containing path traversal patterns to the vulnerable endpoint
- Restrict network access to the /api/admin/common/download/templates endpoint to trusted IP addresses only
- Add application-level input validation to reject any templateName values containing directory separators or encoded characters
- Consider temporarily disabling the template download functionality until the patch can be applied
# Example WAF rule to block path traversal attempts (ModSecurity)
SecRule REQUEST_URI "@contains /api/admin/common/download/templates" \
"id:100001,phase:2,deny,status:403,\
chain"
SecRule ARGS:templateName "@rx (\.\./|\.\.\\|%2e%2e)" \
"t:lowercase,t:urlDecodeUni,\
msg:'Path Traversal Attempt on Template Download',\
logdata:'%{MATCHED_VAR}'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
