CVE-2026-45053 Overview
CVE-2026-45053 is an authenticated arbitrary file upload vulnerability in the CubeCart ecommerce platform. The flaw resides in the REST API File Manager endpoint POST /api/v1/files in versions prior to 6.7.0. Any API key holder with files:rw permission can upload PHP source files into the web-accessible images/source/ directory, where the web server executes them. The endpoint also contains a path-traversal flaw in its filepath parameter. A single API request can write a webshell anywhere the web server process has write access, including the document root. The vulnerability is classified under CWE-434 and is fixed in CubeCart 6.7.0.
Critical Impact
A single authenticated API request yields full Remote Code Execution by writing a PHP webshell into the web root.
Affected Products
- CubeCart versions prior to 6.7.0
- CubeCart REST API File Manager endpoint (POST /api/v1/files)
- Deployments issuing API keys with files:rw permission
Discovery Timeline
- 2026-05-13 - CVE-2026-45053 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45053
Vulnerability Analysis
The vulnerability resides in the REST API File Manager endpoint exposed at POST /api/v1/files. The endpoint accepts uploaded file content and a filepath parameter that determines the destination on disk. CubeCart does not enforce an allowlist on file extensions or MIME types, so PHP source files pass validation. The default upload directory images/source/ is web-accessible and served by the PHP interpreter, which means uploaded .php files execute when requested. The endpoint additionally fails to canonicalize the filepath parameter, allowing ../ sequences to escape the intended directory. An attacker holding an API key with files:rw permission combines both flaws to drop a webshell into the document root and invoke it over HTTP, achieving Remote Code Execution under the web server account.
Root Cause
The root cause is unrestricted upload of files with dangerous types ([CWE-434]) compounded by missing path normalization on a user-controlled file destination parameter. Authentication is required, but the trust boundary for files:rw API keys is too broad and does not constrain output paths or executable file types.
Attack Vector
The attack is remote and authenticated. An adversary submits an HTTP POST request to /api/v1/files containing a valid API key with files:rw permission, a filepath value using path traversal to target the document root, and a body containing PHP code. After the upload completes, the attacker requests the dropped script through the web server to execute commands. See the CubeCart GitHub Security Advisory GHSA-652f-8c88-25cx for vendor technical details.
Detection Methods for CVE-2026-45053
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files in images/source/ or other writable directories within the CubeCart document root.
- HTTP POST requests to /api/v1/files containing .. sequences or absolute paths in the filepath parameter.
- New files owned by the web server account with modification times correlating to API File Manager requests.
- Outbound connections or system, exec, or passthru activity originating from PHP processes serving CubeCart.
Detection Strategies
- Review web server access logs for POST /api/v1/files requests and correlate with the API key identifier and source IP.
- Hash and inventory all PHP files under the CubeCart webroot, then alert on any file not present in the upstream 6.7.0 distribution.
- Inspect API audit logs for keys carrying files:rw permission and validate that each key has a legitimate operational owner.
Monitoring Recommendations
- Enable file integrity monitoring on images/source/ and the CubeCart document root.
- Forward web server, PHP-FPM, and application logs to a centralized log platform and alert on PHP execution from upload directories.
- Monitor process telemetry for child processes spawned by the PHP worker, such as /bin/sh, bash, or curl.
How to Mitigate CVE-2026-45053
Immediate Actions Required
- Upgrade CubeCart to version 6.7.0 or later, which contains the official fix.
- Rotate every API key issued before the upgrade and revoke any key with files:rw permission that is not strictly required.
- Audit the webroot for unexpected PHP files and remove any artifacts that cannot be traced to a known deployment action.
Patch Information
The vendor fixed CVE-2026-45053 in CubeCart 6.7.0. Upgrade details and the security advisory are published in the CubeCart GitHub Security Advisory GHSA-652f-8c88-25cx.
Workarounds
- Block execution of PHP files inside images/source/ and any other upload directory at the web server level using a location or <Directory> rule.
- Restrict access to /api/v1/files through a web application firewall rule that denies requests with traversal sequences in the filepath parameter.
- Remove the files:rw permission from API keys until the upgrade is complete.
# Nginx example: disable PHP execution inside CubeCart upload directories
location ~* ^/images/source/.*\.(php|phtml|phar)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
