CVE-2026-40258 Overview
CVE-2026-40258 is a critical path traversal vulnerability, commonly known as "Zip Slip," affecting the Gramps Web API, a Python REST API for the genealogical research software Gramps. The vulnerability exists in the media archive import feature and allows authenticated users with owner-level privileges to craft malicious ZIP files containing directory-traversal filenames. This enables arbitrary file writes outside the intended temporary extraction directory on the server's local filesystem, potentially leading to remote code execution or complete system compromise.
Critical Impact
Authenticated attackers with owner privileges can achieve arbitrary file write on the server filesystem, potentially enabling remote code execution, configuration tampering, or deployment of web shells.
Affected Products
- Gramps Web API versions 1.6.0 through 3.11.0
Discovery Timeline
- 2026-04-17 - CVE-2026-40258 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40258
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal) and manifests in the media archive import functionality of the Gramps Web API. The flaw occurs because the application extracts ZIP file contents without validating that the resolved paths of archive entries remain within the intended temporary directory boundary. An attacker can exploit this by including specially crafted filenames in a ZIP archive that contain directory traversal sequences (e.g., ../../../etc/cron.d/malicious).
When the malicious ZIP is processed by the media import feature, files are written to arbitrary locations on the server filesystem based on the attacker-controlled paths embedded in the archive. While exploitation requires owner-level authentication, this still presents a significant risk in multi-tenant environments or scenarios where owner accounts may be compromised.
Root Cause
The root cause of CVE-2026-40258 lies in the media_importer.py module's handling of ZIP file extraction. Prior to version 3.11.1, the code called zip_file.extractall(temp_dir) without first validating that each archive member's resolved path remained within the temporary directory boundary. This allowed malicious archive entries with traversal sequences to escape the intended extraction directory.
Attack Vector
The attack vector is network-based and requires authentication with owner-level privileges. An attacker must:
- Obtain owner-level access to the Gramps Web API instance
- Craft a malicious ZIP archive containing filenames with path traversal sequences (e.g., ../../var/www/html/shell.php)
- Upload the malicious archive through the media import feature
- Upon extraction, files are written to arbitrary locations outside the temporary directory
The following patch demonstrates how version 3.11.1 addresses the vulnerability by validating ZIP entry paths before extraction:
raise ValueError("Not enough free space on disk")
temp_dir = tempfile.mkdtemp()
+ temp_dir_real = os.path.realpath(temp_dir)
+ for member in zip_file.namelist():
+ member_path = os.path.realpath(os.path.join(temp_dir_real, member))
+ if not member_path.startswith(temp_dir_real + os.sep):
+ raise ValueError(f"Zip Slip path traversal detected: {member}")
zip_file.extractall(temp_dir)
return temp_dir
Source: GitHub Commit 3ed4342
Detection Methods for CVE-2026-40258
Indicators of Compromise
- Unexpected files appearing outside the Gramps Web API temporary directories, particularly in web-accessible or system configuration paths
- ZIP archive uploads containing entries with ../ sequences or absolute paths in the media import logs
- New or modified files in critical system directories (e.g., /etc/cron.d/, web root directories, or SSH authorized_keys)
- Web shell artifacts or unauthorized PHP/Python scripts in application directories
Detection Strategies
- Monitor file system activity for write operations originating from the Gramps Web API process that target directories outside the expected application paths
- Implement application-level logging to capture ZIP archive member names during media import operations
- Deploy file integrity monitoring (FIM) solutions to detect unauthorized modifications to critical system files and web application directories
- Review web server access logs for suspicious media import requests followed by access to newly created files
Monitoring Recommendations
- Configure SIEM alerts for ZIP extraction events combined with file writes to sensitive directories
- Enable enhanced audit logging for the Gramps Web API application to capture all media import operations and associated file paths
- Monitor for process execution anomalies that may indicate successful exploitation via web shell deployment
- Implement network monitoring for command-and-control traffic that may follow successful arbitrary file write attacks
How to Mitigate CVE-2026-40258
Immediate Actions Required
- Upgrade Gramps Web API to version 3.11.1 or later immediately
- Audit server filesystem for any unexpected files created outside the application's intended directories
- Review owner-level account access logs for suspicious media import activity
- Consider temporarily disabling the media archive import feature until patching is complete
Patch Information
The vulnerability is fully addressed in Gramps Web API version 3.11.1. The fix implements proper path validation by resolving the real path of each ZIP entry and comparing it against the temporary directory boundary before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import operation.
For detailed patch information, see:
Workarounds
- Restrict owner-level account access to only trusted administrators until the patch can be applied
- Implement web application firewall (WAF) rules to inspect and block ZIP uploads containing path traversal sequences
- Deploy network segmentation to limit the impact of potential file write exploitation on the server
- Enable read-only filesystem mounts for critical directories where feasible to prevent malicious file writes
# Configuration example: Restrict file permissions on critical directories
chmod 755 /var/www/html
chown root:root /var/www/html
chmod 700 /etc/cron.d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
