CVE-2026-42549 Overview
CVE-2026-42549 is a path traversal vulnerability [CWE-22] in the Flight PHP micro-framework. The flaw resides in the make:controller CLI command, which calls mkdir(..., recursive: true) on a path derived from user-supplied controller names before Nette's class-name validation executes. While Nette correctly rejects the class-file write when the name contains /, the recursive directory creation side effect persists. Attackers with local CLI access can supply ../ sequences to create directories outside the project root. Flight version 3.18.1 resolves the issue.
Critical Impact
A local user invoking the Flight scaffolding CLI can create arbitrary directories outside the project root through directory traversal in the controller name argument.
Affected Products
- Flight PHP framework (flightphp/core) prior to 3.18.1
- Applications using the make:controller CLI scaffolding command
- Development environments running Flight scaffolding tools
Discovery Timeline
- 2026-05-13 - CVE-2026-42549 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42549
Vulnerability Analysis
Flight is an extensible micro-framework for PHP that provides a CLI scaffolding tool for generating controller skeletons. The make:controller command accepts a controller name from the user and constructs a filesystem path for the new class file. The command invokes mkdir(..., recursive: true) against that path before delegating class-name validation to Nette.
Nette correctly rejects names containing / and refuses to write the class file. However, the directory creation has already occurred. The cleanup of the partially executed scaffolding is incomplete, leaving attacker-controlled directories on disk. The traversal is bounded only by the operating system permissions of the user running the CLI.
Root Cause
The root cause is an ordering defect in input handling. The framework performs a privileged filesystem side effect (mkdir with recursive: true) before running validation on the same input. Validation logic enforced by Nette runs too late to prevent the directory creation. This pattern violates the principle that destructive or persistent operations must follow successful input validation.
Attack Vector
The attack requires local access and low privileges, matching the local attack vector classification. An attacker invokes the scaffolding CLI with a controller name containing ../ traversal segments, for example ../../../tmp/evil/Controller. The recursive mkdir call resolves the relative path and creates each intermediate directory outside the project root. While the class file is not written, the resulting directories can be leveraged for staging, persistence, or to disrupt application logic that scans known locations.
No verified exploit code is publicly available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-42549
Indicators of Compromise
- Unexpected directories created outside the Flight project root, particularly along paths containing repeating .. segments.
- Shell history entries showing make:controller invocations with controller names containing / or ...
- Filesystem audit log entries recording mkdir syscalls originating from the PHP CLI binary against paths above the project working directory.
Detection Strategies
- Audit version metadata in composer.lock for flightphp/core entries below 3.18.1.
- Monitor process execution telemetry for php invocations of the Flight CLI with arguments containing ../ patterns.
- Compare the developer workstation or CI runner directory tree against expected project layouts to identify stray directories.
Monitoring Recommendations
- Enable filesystem auditing on developer workstations and CI build agents that run Flight scaffolding commands.
- Centralize CLI command history and shell audit logs for review when anomalous directories appear.
- Alert on Flight CLI executions where controller name arguments contain path separators or traversal sequences.
How to Mitigate CVE-2026-42549
Immediate Actions Required
- Upgrade flightphp/core to version 3.18.1 or later using composer update flightphp/core.
- Inventory all developer workstations, build servers, and container images that include Flight to confirm patched versions.
- Restrict execution of the make:controller CLI to trusted developers and avoid running it with untrusted input.
Patch Information
The maintainers fixed CVE-2026-42549 in Flight version 3.18.1. The patch reorders the scaffolding logic so class-name validation runs before any filesystem operations. Review the GitHub Security Advisory GHSA-3xjv-pmf2-gf2q for full remediation details and commit references.
Workarounds
- Avoid invoking make:controller until the framework is upgraded to 3.18.1.
- Run the Flight CLI inside a constrained container or chroot so any traversal cannot escape the sandbox.
- Enforce code review on scaffolding inputs and reject controller names containing /, \, or .. before passing them to the CLI.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
