CVE-2026-40163 Overview
CVE-2026-40163 is a path traversal vulnerability affecting Saltcorn, an extensible, open source, no-code database application builder. The vulnerability exists in the sync API endpoints and allows unauthenticated attackers to perform unauthorized file system operations. Specifically, the POST /sync/offline_changes endpoint enables arbitrary directory creation and file writing, while the GET /sync/upload_finished endpoint permits directory listing and reading of JSON files anywhere on the server filesystem.
Critical Impact
Unauthenticated attackers can create arbitrary directories, write malicious JSON files to any location on the server, and enumerate sensitive file system contents without any authentication.
Affected Products
- Saltcorn versions prior to 1.4.5
- Saltcorn versions prior to 1.5.5
- Saltcorn versions prior to 1.6.0-beta.4
Discovery Timeline
- April 10, 2026 - CVE-2026-40163 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40163
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Path Traversal) and stems from insufficient path validation in Saltcorn's synchronization API endpoints. The application fails to properly sanitize user-controlled input that specifies file paths, allowing attackers to traverse directory structures using sequences like ../ to escape intended directories.
The vulnerability exposes two distinct attack surfaces. First, the POST /sync/offline_changes endpoint accepts user input that ultimately determines where a changes.json file is written on the filesystem. By manipulating this input with path traversal sequences, an attacker can write attacker-controlled JSON content to arbitrary locations. Second, the GET /sync/upload_finished endpoint similarly fails to validate path parameters, enabling attackers to list directory contents and read JSON files from any accessible path on the server.
This combination of arbitrary file write and information disclosure capabilities presents significant risk, as attackers could potentially overwrite critical configuration files, inject malicious content into web-accessible directories, or exfiltrate sensitive data from the server.
Root Cause
The root cause is improper input validation in the sync API endpoints. The application does not adequately sanitize or validate user-supplied path components before using them in filesystem operations. This allows path traversal sequences (such as ../) to be processed, enabling access to directories outside the intended scope of the synchronization feature.
Attack Vector
The attack is conducted over the network without requiring any authentication. An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable endpoints:
Arbitrary File Write: By sending a malicious POST request to /sync/offline_changes with path traversal sequences in the relevant parameters, an attacker can force the server to create directories and write a changes.json file with attacker-controlled content to arbitrary filesystem locations.
Information Disclosure: By sending a crafted GET request to /sync/upload_finished with traversal sequences, an attacker can enumerate directory contents and read JSON files from locations outside the intended sync directory.
The attack requires no user interaction and can be performed remotely by any network-accessible attacker, making this a significant security concern for internet-facing Saltcorn deployments.
Detection Methods for CVE-2026-40163
Indicators of Compromise
- Unexpected changes.json files appearing in directories outside the normal Saltcorn data paths
- HTTP access logs showing requests to /sync/offline_changes or /sync/upload_finished endpoints with path traversal patterns (e.g., ../, ..%2f, %2e%2e/)
- Newly created directories with suspicious naming patterns or in unexpected filesystem locations
- Evidence of unauthorized file reads or directory listings in web server logs
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences in request parameters targeting /sync/ endpoints
- Monitor HTTP request logs for patterns containing encoded or unencoded directory traversal sequences
- Deploy file integrity monitoring (FIM) on critical system directories to detect unauthorized file creation or modification
- Review access logs for unauthenticated requests to the sync API endpoints from unexpected IP addresses
Monitoring Recommendations
- Enable detailed logging for the Saltcorn application, particularly for sync-related operations
- Set up alerts for any filesystem modifications outside designated data directories
- Monitor for abnormal patterns in API endpoint usage, especially from unauthenticated sources
- Regularly audit the filesystem for unexpected changes.json files in non-standard locations
How to Mitigate CVE-2026-40163
Immediate Actions Required
- Upgrade Saltcorn to version 1.4.5, 1.5.5, or 1.6.0-beta.4 immediately to address this vulnerability
- If immediate patching is not possible, restrict network access to the /sync/offline_changes and /sync/upload_finished endpoints using firewall rules or reverse proxy configuration
- Audit the filesystem for any unexpected changes.json files that may indicate prior exploitation
- Review access logs for evidence of exploitation attempts against the vulnerable endpoints
Patch Information
The Saltcorn development team has released security patches addressing this vulnerability in versions 1.4.5, 1.5.5, and 1.6.0-beta.4. Organizations should upgrade to one of these patched versions based on their current deployment track. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Block or restrict access to the /sync/offline_changes and /sync/upload_finished endpoints at the network level using firewall rules or reverse proxy configurations
- Implement authentication requirements for the sync API endpoints if the application supports such customization
- Deploy a web application firewall (WAF) with rules to detect and block path traversal attempts
- Run the Saltcorn application with minimal filesystem permissions to limit the impact of potential exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
