CVE-2026-33528 Overview
GoDoxy, a reverse proxy and container orchestrator for self-hosters, contains a path traversal vulnerability in its file content API endpoint. Prior to version 0.27.5, the /api/v1/file/content endpoint fails to properly sanitize the filename query parameter, allowing authenticated attackers to traverse directory boundaries and access files outside the intended config/ directory.
Critical Impact
An authenticated attacker can leverage ../ sequences to read or write arbitrary files accessible to the container's UID, including TLS private keys, OAuth refresh tokens, and other sensitive configuration data.
Affected Products
- GoDoxy versions prior to 0.27.5
- Self-hosted deployments using GoDoxy's file content API
- Container environments running vulnerable GoDoxy instances
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33528 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33528
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the file content API endpoint at /api/v1/file/content. The vulnerability stems from insufficient input validation on the filename query parameter. When processing file requests, the application passes the user-supplied filename directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath is set to "config" as a relative path.
The only validation applied to the filename parameter is a check that the field is non-empty via the binding:"required" constraint. This minimal validation fails to prevent directory traversal sequences, allowing attackers to escape the intended config/ directory and access files elsewhere in the filesystem.
Root Cause
The root cause is the absence of path sanitization or validation logic on user-supplied input before file operations. The application trusts the filename parameter without checking for directory traversal sequences such as ../. The use of a relative path for ConfigBasePath rather than an absolute path compounds the issue, as path.Join() in Go does not prevent traversal when the base path is relative.
Attack Vector
The attack is network-based and requires authentication to the GoDoxy API. An attacker with valid credentials can craft malicious requests to the /api/v1/file/content endpoint using ../ sequences in the filename parameter. This allows reading sensitive files such as TLS private keys and OAuth refresh tokens, or potentially writing malicious content to files accessible by the container's UID.
// Security patch from internal/api/v1/file/get.go
// fix(api/file): prevent path traversal in file API
package fileapi
import (
+ "io"
"net/http"
"os"
"path"
Source: GitHub Commit Update
Detection Methods for CVE-2026-33528
Indicators of Compromise
- HTTP requests to /api/v1/file/content containing ../ sequences in the filename parameter
- Unusual file access patterns from the GoDoxy container process
- Access attempts to files outside the config/ directory such as /etc/passwd, TLS key files, or OAuth token stores
- Anomalous authenticated API activity targeting file content endpoints
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns (../, ..%2f, ..%252f) in API requests
- Monitor GoDoxy API logs for requests to /api/v1/file/content with suspicious filename values
- Deploy file integrity monitoring on sensitive files that may be targeted through this vulnerability
- Enable audit logging for all file access operations within the container environment
Monitoring Recommendations
- Configure alerting for any authenticated requests containing directory traversal sequences
- Monitor container filesystem access patterns for reads outside expected directories
- Review API access logs regularly for anomalous patterns targeting file endpoints
- Implement real-time detection for access attempts to sensitive files like TLS keys and OAuth tokens
How to Mitigate CVE-2026-33528
Immediate Actions Required
- Upgrade GoDoxy to version 0.27.5 or later immediately
- Review API access logs for any evidence of exploitation attempts prior to patching
- Rotate any TLS private keys and OAuth refresh tokens that may have been exposed
- Audit file permissions within the container to minimize the attack surface
Patch Information
Version 0.27.5 of GoDoxy addresses this vulnerability by implementing proper path validation in the file content API. The fix is available in the GitHub Release v0.27.5. For detailed technical information about the vulnerability and remediation, refer to the GitHub Security Advisory GHSA-4753.
Workarounds
- Restrict network access to the GoDoxy API endpoint using firewall rules or network segmentation
- Implement a reverse proxy with path traversal filtering in front of GoDoxy
- Limit the container's filesystem access using read-only mounts where possible
- Enforce strict authentication and authorization controls to minimize the number of users who can access the file API
# Configuration example - Restrict API access via iptables
# Allow only trusted IP ranges to access GoDoxy API
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
