CVE-2026-43975 Overview
CVE-2026-43975 is a path traversal vulnerability [CWE-22] in Apache Wicket's FolderUploadsFileManager component. The component fails to validate or sanitize the uploadFieldId parameter and the clientFileName before constructing file paths. An unauthenticated remote attacker can write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server.
The issue affects Apache Wicket versions 8.0.0 through 8.17.0, 9.0.0 through 9.22.0, and 10.0.0 through 10.8.0. The Apache Wicket project recommends upgrading to version 10.9.0, which fixes the issue.
Critical Impact
Unauthenticated attackers can read sensitive files or write files outside the upload directory, which may enable configuration tampering and downstream code execution on Wicket-based web applications.
Affected Products
- Apache Wicket 8.0.0 through 8.17.0
- Apache Wicket 9.0.0 through 9.22.0
- Apache Wicket 10.0.0 through 10.8.0
Discovery Timeline
- 2026-05-06 - CVE-2026-43975 published to the National Vulnerability Database (NVD)
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43975
Vulnerability Analysis
Apache Wicket is a component-based Java web application framework. The FolderUploadsFileManager class manages temporary storage for uploaded files on the server filesystem. It accepts client-supplied identifiers when computing the destination path for incoming uploads.
The vulnerability stems from missing validation of two attacker-controlled inputs: uploadFieldId and clientFileName. Both values are concatenated into the target file path without normalization or rejection of traversal sequences such as ../. As a result, the resolved path can escape the configured upload directory.
An attacker can supply path segments that traverse upward in the directory tree, then either write a controlled file to an arbitrary location or cause the manager to read a file from an unintended path. The vulnerability is reachable without authentication and over the network.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The FolderUploadsFileManager trusts client-supplied path components and does not enforce that the constructed File object resides within the intended upload base directory. Path canonicalization and a containment check against the allowed parent directory are missing.
Attack Vector
Exploitation occurs over the network against any Wicket application that exposes file upload functionality backed by FolderUploadsFileManager. The attacker submits a crafted upload request in which uploadFieldId or clientFileName contains directory traversal sequences. The framework then resolves the file path outside the upload directory, exposing arbitrary read or write primitives. No user interaction or prior privileges are required.
No public proof-of-concept exploit code is listed in the advisory. Refer to the Apache Wicket Pull Request #1432 for the corrective implementation and the Apache Mailing List Thread for vendor discussion.
Detection Methods for CVE-2026-43975
Indicators of Compromise
- HTTP multipart upload requests containing ../, ..\, or URL-encoded traversal sequences (%2e%2e%2f) in the uploadFieldId parameter or clientFileName field.
- Files appearing in unexpected directories outside the configured Wicket upload folder, particularly in writable system paths or web roots.
- Web server access logs showing POST requests to Wicket endpoints with abnormally long or path-like field identifiers.
Detection Strategies
- Inspect application logs for upload events whose resolved file path falls outside the configured upload base directory.
- Deploy WAF rules that match traversal patterns in multipart form fields, including encoded variants, targeting Wicket upload handlers.
- Audit running Wicket applications for the version string and flag any instance below 10.9.0 within the affected release branches.
Monitoring Recommendations
- Monitor filesystem write events on Java application servers hosting Wicket, alerting on writes outside designated upload directories.
- Track outbound and inbound traffic to Wicket endpoints and correlate with file creation events on the host.
- Enable verbose logging in FolderUploadsFileManager after upgrading and review for anomalous filename patterns.
How to Mitigate CVE-2026-43975
Immediate Actions Required
- Upgrade Apache Wicket to version 10.9.0 or later, which contains the fix for FolderUploadsFileManager.
- Inventory all internal and external Java applications using Wicket and prioritize internet-facing instances for patching.
- Restrict access to file upload endpoints with authentication or network controls until patching is complete.
Patch Information
The Apache Wicket project released version 10.9.0 to address CVE-2026-43975. The fix introduces validation and sanitization of the uploadFieldId parameter and clientFileName before path construction. Users on the 8.x and 9.x branches must migrate to 10.9.0, as patched releases for older branches are not listed in the advisory. Review the GitHub Wicket Pull Request #1432 for the implementation details.
Workarounds
- If immediate upgrade is not possible, disable file upload features that rely on FolderUploadsFileManager in the application configuration.
- Place a reverse proxy or WAF in front of the application that rejects multipart requests containing path traversal sequences in field identifiers or filenames.
- Run the Java application server under a least-privileged account with restricted filesystem permissions to limit the impact of arbitrary writes.
# Example Maven dependency update to remediated version
# pom.xml
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-core</artifactId>
<version>10.9.0</version>
</dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
