CVE-2026-4044 Overview
A path traversal vulnerability has been identified in ProjectSend up to version r1945. This security flaw affects the realpath function within the /import-orphans.php file, specifically in the Delete Handler component. By manipulating the files[] argument, an attacker can exploit this vulnerability to traverse directories and potentially access or delete files outside the intended directory scope. The vulnerability is remotely exploitable over the network, and a public exploit is now available.
Critical Impact
Remote attackers with high-level privileges can exploit this path traversal vulnerability to manipulate file operations beyond intended boundaries, potentially leading to unauthorized file access or deletion on affected ProjectSend installations.
Affected Products
- ProjectSend up to version r1945
- Systems running vulnerable /import-orphans.php Delete Handler component
Discovery Timeline
- 2026-03-12 - CVE-2026-4044 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-4044
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal). The flaw exists in the Delete Handler functionality of ProjectSend's /import-orphans.php file. The vulnerable code improperly handles the files[] parameter, allowing attackers to craft malicious input that bypasses directory restrictions.
The realpath function, which is intended to resolve canonical absolute pathnames, is being used in a manner that fails to properly validate whether the resolved path remains within the expected directory boundaries. This allows an attacker to use directory traversal sequences (such as ../) to reference files outside the designated upload or orphan file directories.
The vendor was contacted about this vulnerability but did not respond, leaving users without an official patch at the time of disclosure. Additional technical details are available through VulDB CTI ID #350656.
Root Cause
The root cause of this vulnerability is insufficient input validation on the files[] parameter before it is processed by the realpath function. The application fails to properly sanitize user-supplied file paths, allowing directory traversal sequences to be included in the input. Without adequate validation to ensure that resolved paths remain within the intended directory structure, attackers can manipulate file operations to target arbitrary files on the system.
Attack Vector
The attack vector is network-based, requiring authenticated access with high privileges. An attacker would craft a malicious HTTP request to the /import-orphans.php endpoint, including specially crafted files[] parameter values containing path traversal sequences. When the Delete Handler processes this request, it would resolve the manipulated path using realpath and potentially perform file operations on unintended targets.
The exploitation mechanism involves:
- Authenticating to the ProjectSend application with appropriate privileges
- Sending a crafted request to /import-orphans.php with malicious files[] values
- The server processes the path traversal sequences, allowing access to files outside the intended directory
- File integrity or availability may be compromised depending on the specific file operations performed
Detection Methods for CVE-2026-4044
Indicators of Compromise
- HTTP requests to /import-orphans.php containing path traversal patterns such as ../ or encoded variants in the files[] parameter
- Unexpected file access or deletion events in directories outside the ProjectSend upload directories
- Web server logs showing suspicious requests to the Delete Handler with encoded directory traversal sequences
- File system audit logs indicating access to sensitive files from the web server process
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block requests containing directory traversal patterns targeting /import-orphans.php
- Implement file integrity monitoring on critical system files and directories
- Review web server access logs for requests containing suspicious files[] parameter values with ../, ..%2f, or similar patterns
- Configure intrusion detection systems to alert on path traversal attack signatures directed at ProjectSend endpoints
Monitoring Recommendations
- Enable detailed logging for the ProjectSend application, particularly for file operations in the Delete Handler
- Monitor for unusual file deletion patterns or access to files outside the ProjectSend data directories
- Set up alerts for failed file operations that may indicate exploitation attempts
- Implement real-time log analysis for web server access logs focusing on the /import-orphans.php endpoint
How to Mitigate CVE-2026-4044
Immediate Actions Required
- Restrict network access to ProjectSend installations to trusted IP addresses only
- Implement additional authentication controls for administrative functions including the Delete Handler
- Deploy a web application firewall with rules specifically targeting path traversal attacks
- Consider disabling the /import-orphans.php functionality if not required for operations
Patch Information
At the time of this disclosure, the vendor has not responded to contact attempts and no official patch is available. Users should monitor the ProjectSend project for security updates and apply patches as soon as they become available. Additional vulnerability details can be found at VulDB #350656.
Workarounds
- Implement strict input validation at the web server level to reject requests containing path traversal sequences
- Use file system permissions to restrict the web server process from accessing files outside the intended directories
- Consider running ProjectSend in a containerized environment with limited file system access
- Apply network segmentation to isolate ProjectSend from sensitive internal systems
# Example Apache mod_rewrite rule to block path traversal attempts
# Add to .htaccess or Apache configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f) [NC,OR]
RewriteCond %{QUERY_STRING} (files\[\]=.*\.\.) [NC]
RewriteRule ^import-orphans\.php - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
