CVE-2026-34745 Overview
CVE-2026-34745 is a critical Path Traversal vulnerability affecting Fireshare, a self-hosted media and link sharing application. The vulnerability exists in the unauthenticated /api/uploadChunked/public endpoint located in app/server/fireshare/api.py. While a previous fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint, the same security patch was not applied to the public (unauthenticated) endpoint in the same file.
An unauthenticated attacker can exploit the checkSum parameter to write arbitrary files with attacker-controlled content to any writable path on the server filesystem. This could lead to remote code execution, configuration tampering, or complete system compromise.
Critical Impact
Unauthenticated attackers can write arbitrary files to any writable location on the server, potentially leading to remote code execution or complete system takeover.
Affected Products
- Fireshare versions prior to 1.5.3
Discovery Timeline
- 2026-04-02 - CVE-2026-34745 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34745
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw stems from an incomplete security patch where the authenticated endpoint received proper input sanitization while the unauthenticated public endpoint was left unprotected.
The checkSum parameter in the public upload endpoint accepts user-controlled input without proper validation, allowing directory traversal sequences such as ../ to be included. This enables attackers to escape the intended upload directory and write files to arbitrary locations on the filesystem.
Root Cause
The root cause is inconsistent application of security controls across similar endpoints. When CVE-2026-33645 was patched, the fix was only applied to the authenticated /api/uploadChunked endpoint but not to the /api/uploadChunked/public endpoint in the same api.py file. The checkSum parameter was being used directly in file path construction without sanitization, allowing path traversal characters to manipulate the destination directory.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can send a malicious HTTP request to the /api/uploadChunked/public endpoint with a crafted checkSum parameter containing path traversal sequences (e.g., ../../etc/cron.d/malicious). Combined with attacker-controlled file content in the blob parameter, this allows writing arbitrary files to any writable location on the server. Potential attack scenarios include:
- Writing a cron job or systemd service for persistent backdoor access
- Overwriting application configuration files
- Placing a webshell in a web-accessible directory
- Modifying authorized_keys for SSH access
The security patch addresses this by sanitizing the checkSum parameter using a regular expression that strips all characters except alphanumeric, underscore, and hyphen:
blob = request.files.get('blob')
chunkPart = int(request.form.get('chunkPart'))
totalChunks = int(request.form.get('totalChunks'))
- checkSum = request.form.get('checkSum')
+ checkSum = re.sub(r'[^a-zA-Z0-9_-]', '', request.form.get('checkSum'))
+ if not checkSum:
+ return Response(status=400)
if not blob.filename or blob.filename.strip() == '' or blob.filename == 'blob':
return Response(status=400)
filename = secure_filename(blob.filename)
Source: GitHub Commit Update
Detection Methods for CVE-2026-34745
Indicators of Compromise
- Unexpected files appearing in system directories such as /etc/cron.d/, /var/www/, or other writable locations
- HTTP POST requests to /api/uploadChunked/public with checkSum parameters containing ../ sequences or encoded variants
- New or modified files with recent timestamps in directories outside the expected Fireshare upload directory
- Web server logs showing requests to the public upload endpoint with suspicious checkSum values
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns (../, ..%2f, %2e%2e/) in request parameters
- Monitor HTTP traffic for POST requests to /api/uploadChunked/public and alert on checkSum values containing non-alphanumeric characters
- Deploy file integrity monitoring (FIM) on critical system directories to detect unauthorized file creation or modification
- Review application logs for 400 status responses from the upload endpoint which may indicate exploitation attempts against the patched version
Monitoring Recommendations
- Enable detailed logging for the Fireshare application and configure alerts for anomalous upload activity
- Monitor filesystem changes in real-time using tools like auditd or commercial endpoint detection solutions
- Set up network intrusion detection rules to identify path traversal attack patterns targeting the vulnerable endpoint
- Regularly audit writable directories for unexpected files or modifications
How to Mitigate CVE-2026-34745
Immediate Actions Required
- Upgrade Fireshare to version 1.5.3 or later immediately
- If immediate upgrade is not possible, restrict network access to the /api/uploadChunked/public endpoint using firewall rules or web server configuration
- Audit the server filesystem for any unauthorized files that may have been written through exploitation
- Review web server and application logs for evidence of past exploitation attempts
Patch Information
The vulnerability has been patched in Fireshare version 1.5.3. The fix applies input sanitization to the checkSum parameter using a regular expression that allows only alphanumeric characters, underscores, and hyphens. Additionally, the patched version returns a 400 error if the sanitized checkSum is empty.
For more information, see the GitHub Security Advisory GHSA-fvvp-rj8g-c7gc, the GitHub Pull Request #520, and the GitHub Release v1.5.3.
Workarounds
- Block access to the /api/uploadChunked/public endpoint at the reverse proxy or firewall level until patching is complete
- Disable public upload functionality if not required for business operations
- Implement network segmentation to limit the blast radius if exploitation occurs
- Run Fireshare with minimal filesystem permissions to reduce the impact of arbitrary file writes
# Example nginx configuration to block the vulnerable endpoint
location /api/uploadChunked/public {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
