CVE-2026-42605 Overview
CVE-2026-42605 is a path traversal vulnerability [CWE-22] in AzuraCast, a self-hosted web radio management suite. The flaw resides in the Flow.js media upload endpoint at POST /api/station/{station_id}/files/upload, where the currentDirectory request parameter is not sanitized for traversal sequences. Authenticated users with media management permissions can write arbitrary files outside the station media directory when the local filesystem storage backend is used. Attackers can stage a PHP webshell in the web root and achieve remote code execution. AzuraCast patched the issue in version 0.23.6.
Critical Impact
Authenticated attackers with media management privileges can achieve remote code execution on AzuraCast servers using the default local filesystem backend.
Affected Products
- AzuraCast versions prior to 0.23.6
- Deployments using the default local filesystem storage backend
- All operating systems running vulnerable AzuraCast instances (Docker, Linux installs)
Discovery Timeline
- 2026-05-09 - CVE-2026-42605 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42605
Vulnerability Analysis
The vulnerability exists in AzuraCast's Flow.js chunked upload handler. The endpoint accepts a currentDirectory parameter that designates the destination folder for uploaded media files. AzuraCast joins this user-controlled value with the station's media storage root without canonicalizing the resulting path or rejecting .. sequences.
When the local filesystem adapter is active (the default configuration), the resolved path escapes the station's storage directory. An authenticated user can therefore write files to any location writable by the AzuraCast web process, including the application's PHP web root. Uploading a .php file to a web-accessible directory yields code execution under the web server account.
Root Cause
The root cause is missing path normalization in the Flysystem abstraction layer used by AzuraCast. The AbstractFilesystem class did not normalize paths before passing them to the local adapter, and the LocalAdapterInterface lacked explicit upload and download methods that enforced path boundaries.
Attack Vector
An authenticated user with media management permissions sends a chunked upload request to the Flow.js endpoint with a crafted currentDirectory value containing ../ sequences. The request body includes a PHP payload masquerading as a media file. Once written into the web root, the attacker requests the file through the web server to trigger execution.
// Patch excerpt: backend/src/Flysystem/AbstractFilesystem.php
// Adds a PathNormalizer to sanitize paths before adapter operations.
protected ExtendedAdapterInterface $adapter;
protected PathNormalizer $pathNormalizer;
public function __construct(
ExtendedAdapterInterface $adapter,
array $config = [],
Source: AzuraCast commit 18c793b
// Patch excerpt: backend/src/Flysystem/Adapter/LocalAdapterInterface.php
// Introduces explicit upload/download contracts to constrain local paths.
use League\Flysystem\UnableToCopyFile;
interface LocalAdapterInterface extends ExtendedAdapterInterface
{
public function getLocalPath(string $path): string;
public function upload(string $localPath, string $to): void;
public function download(string $from, string $localPath): void;
}
Source: AzuraCast commit 18c793b
Detection Methods for CVE-2026-42605
Indicators of Compromise
- New .php, .phtml, or .phar files appearing under the AzuraCast web root or public directories
- HTTP POST requests to /api/station/{station_id}/files/upload containing .. or URL-encoded %2e%2e in the currentDirectory parameter
- Files owned by the web server user in directories outside the configured station media storage path
- Outbound network connections initiated by the PHP-FPM or web server process to unexpected hosts
Detection Strategies
- Inspect web server and application logs for upload requests whose currentDirectory parameter contains traversal sequences or absolute paths
- Audit the AzuraCast installation directory for recently modified executable script files that do not match a known release
- Monitor process execution chains where the web server spawns shells, curl, wget, or interpreter processes
Monitoring Recommendations
- Enable file integrity monitoring on the AzuraCast web root and PHP application directories
- Forward AzuraCast access logs and PHP error logs to a centralized logging platform for retention and search
- Alert on authenticated API sessions that generate unusual upload volumes or target administrative endpoints
How to Mitigate CVE-2026-42605
Immediate Actions Required
- Upgrade AzuraCast to version 0.23.6 or later without delay
- Review media management role assignments and revoke privileges from accounts that do not require upload access
- Rotate credentials for any account that could have written files prior to patching
- Inspect the web root and station media directories for unauthorized PHP files and remove them
Patch Information
The fix is included in AzuraCast release 0.23.6 via commit 18c793b4427eb49e67a2fea99a89f1c9d9dd808d. The patch introduces a PathNormalizer in AbstractFilesystem and defines explicit upload/download methods in LocalAdapterInterface to prevent paths from escaping the configured storage root. See the GitHub Security Advisory GHSA-vp2f-cqqp-478j and GitHub Release 0.23.6.
Workarounds
- Restrict the media management permission to trusted operators until the upgrade is applied
- Place a reverse proxy rule that rejects upload requests containing .. in the currentDirectory parameter
- Configure the web server to deny PHP execution from media storage directories
# Example nginx rule to block traversal sequences in the upload parameter
location ~ ^/api/station/[0-9]+/files/upload {
if ($arg_currentDirectory ~* "\.\.") {
return 403;
}
if ($request_body ~* "currentDirectory=[^&]*\.\.") {
return 403;
}
}
# Disable PHP execution in media directories
location ~* ^/var/azuracast/stations/.*\.(php|phtml|phar)$ {
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
