CVE-2026-7676 Overview
CVE-2026-7676 is a path traversal vulnerability in kerwincui FastBee versions up to 1.2.1. The flaw resides in the ToolController.download function within springboot/fastbee-open-api/src/main/java/com/fastbee/data/controller/ToolController.java, part of the Tool Download Endpoint. Attackers can manipulate the fileName argument to traverse the file system and access files outside the intended download directory. The issue is exploitable remotely and requires only low-privileged authentication. The exploit has been published, and the vendor did not respond to disclosure attempts. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Authenticated remote attackers can read arbitrary files on the FastBee server by abusing the fileName parameter in the Tool Download Endpoint, exposing configuration files, credentials, and source code.
Affected Products
- kerwincui FastBee 1.0.x through 1.2.1
- fastbee-open-api Spring Boot module containing ToolController
- Deployments exposing the Tool Download Endpoint to untrusted networks
Discovery Timeline
- 2026-05-03 - CVE-2026-7676 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7676
Vulnerability Analysis
The vulnerability affects FastBee, an open-source IoT platform built on Spring Boot. The download method of ToolController accepts a user-supplied fileName parameter and uses it to construct a server-side file path without sufficient validation. Because the input is not normalized or constrained to an allowlisted directory, attackers can submit traversal sequences such as ../ to escape the intended file root. A successful request returns the contents of arbitrary files readable by the FastBee process. Public exploit details are referenced in the VulDB Vulnerability #360829 advisory and a Feishu Document Resource. The current EPSS probability is 0.039%.
Root Cause
The root cause is missing canonicalization and validation of the fileName parameter inside ToolController.download. The controller concatenates user input into a file path and reads the resulting file. It does not verify that the canonical path remains inside the configured download directory, nor does it reject traversal characters or absolute paths.
Attack Vector
The attack is performed over the network against the FastBee HTTP API. An attacker with low-privileged credentials issues a crafted request to the Tool Download Endpoint, supplying a fileName value containing ../ segments or an absolute path. The server returns the targeted file in the response body, enabling disclosure of application configuration, secrets, or operating system files reachable by the application user.
No verified proof-of-concept code is referenced from authoritative sources beyond the public exploit notice. See the linked references for technical reproduction details.
Detection Methods for CVE-2026-7676
Indicators of Compromise
- HTTP requests to the FastBee Tool Download Endpoint containing ../, ..%2f, ..\, or URL-encoded traversal sequences in the fileName query or form parameter.
- Access log entries showing successful downloads of files outside the expected tool/template directory, particularly system paths such as /etc/passwd or Spring Boot resources like application.yml.
- Spikes in 200-status responses from the download endpoint with unusually small or non-tool file sizes.
Detection Strategies
- Inspect Spring Boot access logs and reverse-proxy logs for requests to the ToolController.download route with suspicious fileName values.
- Deploy web application firewall (WAF) rules that flag path traversal patterns in any parameter named fileName for FastBee hosts.
- Correlate authenticated session activity with download endpoint usage to identify low-privileged accounts retrieving files outside their normal scope.
Monitoring Recommendations
- Enable verbose request logging on the fastbee-open-api module and forward logs to a centralized analytics platform.
- Alert on file reads of sensitive files such as application.yml, application.properties, .env, and private key files by the FastBee service account.
- Monitor outbound traffic from the FastBee host for exfiltration following anomalous download activity.
How to Mitigate CVE-2026-7676
Immediate Actions Required
- Restrict network access to the FastBee Tool Download Endpoint using firewall rules, reverse-proxy ACLs, or VPN-only exposure until a fix is available.
- Revoke or rotate any low-privileged API credentials that could be abused to reach the vulnerable endpoint.
- Audit the FastBee server file system for sensitive files and relocate secrets outside the application working directory.
Patch Information
No vendor patch has been published. According to the CVE record, the maintainer of kerwincui FastBee was contacted but did not respond. Track the project repository and the VulDB #360829 CTI Analysis for updates. Until a fixed release is available, treat all FastBee 1.x deployments through 1.2.1 as vulnerable.
Workarounds
- Apply a reverse-proxy rule that rejects requests to the download endpoint when fileName contains .., /, \, %2e, or %2f sequences.
- Run the FastBee service under a dedicated low-privilege OS account with read access strictly limited to the legitimate tool download directory.
- If self-maintaining a fork, modify ToolController.download to canonicalize the resolved path and validate it starts with the configured tool directory before serving the file.
# Example NGINX rule blocking traversal attempts on the FastBee download endpoint
location ~* /tool/download {
if ($arg_fileName ~* "(\.\.|%2e%2e|/|\\)") {
return 403;
}
proxy_pass http://fastbee_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
