CVE-2026-34735 Overview
CVE-2026-34735 is an unrestricted file upload vulnerability (CWE-434) affecting the Hytale Modding Wiki, a free documentation and wiki hosting service for Hytale mods. The vulnerability exists in version 1.2.0 and prior versions due to a mismatch between file content validation and filename handling in the quickUpload() endpoint. This flaw allows authenticated attackers to upload malicious PHP files that can be executed server-side, leading to remote code execution.
Critical Impact
Successful exploitation enables attackers to execute arbitrary server-side code, potentially compromising the entire web server, accessing sensitive data, and pivoting to internal network resources. No patches are currently available.
Affected Products
- Hytale Modding Wiki version 1.2.0
- Hytale Modding Wiki versions prior to 1.2.0
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-34735 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34735
Vulnerability Analysis
The vulnerability stems from an inconsistent validation approach in the file upload functionality. The quickUpload() endpoint performs MIME type validation using PHP's finfo extension, which inspects the actual file contents to determine the file type. However, when storing the file, the system uses getClientOriginalExtension() to determine the file extension, which relies entirely on the client-supplied filename.
This design creates a critical security gap: the MIME type check and the file extension are validated independently. An attacker can craft a file that contains content passing the MIME allowlist (such as a valid image header) while simultaneously specifying a .php extension. When the server stores this file on the public disk, it becomes directly accessible via URL, and the web server executes it as PHP code.
Root Cause
The root cause is the disconnect between content-based validation (MIME type inspection) and the use of client-controlled input (the original file extension) for determining how the file is stored and subsequently processed by the web server. Secure file upload implementations should either whitelist allowed extensions independently of content validation, or generate safe file extensions server-side based on the validated MIME type.
Attack Vector
The attack can be performed remotely over the network by any user with low-level privileges sufficient to access the quickUpload() endpoint. No user interaction is required beyond the initial authentication. The attacker uploads a specially crafted file containing malicious PHP code with content that passes MIME validation (e.g., a polyglot file with valid image headers followed by PHP code). By specifying a .php extension, the file is stored with that extension on the public disk. The attacker then accesses the uploaded file via its public URL, causing the web server to execute the embedded PHP code.
The vulnerability allows direct access to the underlying server through webshell deployment, enabling attackers to execute arbitrary commands, exfiltrate data, modify system configurations, or establish persistent access to the compromised environment.
Detection Methods for CVE-2026-34735
Indicators of Compromise
- Presence of .php files in the wiki's public upload directories that were not intentionally uploaded by administrators
- Web server logs showing requests to unexpected PHP files in upload paths
- Unusual process spawning from the web server process (e.g., www-data executing shell commands)
- File integrity monitoring alerts for new executable files in upload directories
Detection Strategies
- Monitor file upload activity for files with executable extensions (.php, .phtml, .php5, etc.) being written to public directories
- Implement web application firewall rules to flag or block upload requests containing PHP extensions
- Deploy file integrity monitoring on upload directories to detect new PHP files
- Analyze web server access logs for requests to recently created files in upload paths
Monitoring Recommendations
- Enable verbose logging on the quickUpload() endpoint to capture all file upload attempts with their original extensions
- Set up real-time alerts for any file with an executable extension being created in upload directories
- Review web server error logs for PHP parsing errors that may indicate failed exploitation attempts
- Implement egress monitoring to detect potential data exfiltration following successful exploitation
How to Mitigate CVE-2026-34735
Immediate Actions Required
- Restrict access to the quickUpload() endpoint to trusted administrators only until a patch is available
- Implement server-side filename sanitization that ignores client-supplied extensions and generates safe extensions based on validated MIME types
- Configure the web server to disable PHP execution in upload directories using .htaccess or server configuration
- Consider deploying web application firewall rules to block file uploads with executable extensions
Patch Information
At the time of publication, no official patches are available for this vulnerability. Organizations using the Hytale Modding Wiki should monitor the GitHub Security Advisory for updates on remediation guidance and patch availability.
Workarounds
- Configure Apache to prevent PHP execution in upload directories by adding php_flag engine off to the directory's .htaccess file
- For Nginx, add location ~ /uploads/.*\.php$ { deny all; } to prevent PHP execution in upload paths
- Implement a proxy or CDN that strips executable content from responses originating from upload directories
- Move the public disk storage to a separate domain that does not execute server-side scripts
- Temporarily disable the quickUpload() functionality if it is not critical to operations
# Apache: Disable PHP execution in uploads directory
# Add to .htaccess in the uploads directory:
# php_flag engine off
# Nginx: Block PHP execution in uploads
# Add to server configuration:
# location ~ /uploads/.*\.php$ { deny all; }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
