CVE-2026-8361 Overview
CVE-2026-8361 is a path traversal vulnerability [CWE-23] in the WOSDefaultHttpModule.dll component. The flaw occurs when the module processes HTTP requests with URL paths starting with /woshome. An unauthenticated remote attacker can craft malicious URL paths to traverse outside the intended directory and read sensitive files on the server.
The vulnerability is network-exploitable with low attack complexity and requires no privileges or user interaction. Successful exploitation results in disclosure of confidential data accessible to the web service process.
Critical Impact
Unauthenticated remote attackers can read arbitrary files on affected systems by submitting crafted HTTP requests to the /woshome endpoint, exposing configuration files, credentials, and other sensitive data.
Affected Products
- Software implementing WOSDefaultHttpModule.dll (specific vendor/product not disclosed in NVD entry)
- See the Tenable Security Research Advisory for affected version details
Discovery Timeline
- 2026-05-27 - CVE-2026-8361 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-8361
Vulnerability Analysis
The vulnerability resides in WOSDefaultHttpModule.dll, an HTTP handler module that processes incoming web requests. When the module receives a URL path beginning with /woshome, it fails to properly sanitize or canonicalize the remainder of the path before using it to access files on the underlying filesystem.
An attacker can inject directory traversal sequences such as ../ into the URL to escape the intended document root. The HTTP module then resolves these sequences and returns the contents of files outside the web-accessible directory.
Because the request is processed before authentication, the attack requires no credentials. The impact is limited to confidentiality, as the vulnerability allows file reads but not modification or service disruption.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-23]. The module concatenates user-supplied URL path segments with a base directory without validating that the resolved path remains within the intended boundary. Canonicalization is either absent or applied incorrectly, allowing .. and similar relative path traversal elements to alter the final resolved location.
Attack Vector
Exploitation is performed over the network by sending a single HTTP GET request. The attacker prepends /woshome to the URL path and appends traversal sequences followed by the target file path. The vulnerable module parses the request and returns the file contents in the HTTP response body. No session, cookie, or authentication header is required, making the attack trivial to automate at scale against exposed instances.
Refer to the Tenable Security Research Advisory for technical proof-of-concept details.
Detection Methods for CVE-2026-8361
Indicators of Compromise
- HTTP request logs containing /woshome followed by directory traversal sequences such as ../, ..%2f, or ..%5c
- Unexpected HTTP 200 responses for /woshome requests referencing system file paths like win.ini, web.config, or boot.ini
- Outbound responses from the web server containing contents of configuration files or credential stores
- Repeated probing of /woshome from a single source IP within a short timeframe
Detection Strategies
- Inspect web server access logs for requests matching the pattern /woshome.*\.\./ or URL-encoded variants
- Deploy web application firewall (WAF) rules to flag directory traversal patterns in any URL path
- Correlate file-read system calls on the web server process with inbound HTTP requests targeting /woshome
- Hunt for anomalously large responses to /woshome requests, which may indicate file exfiltration
Monitoring Recommendations
- Forward web server and WAF logs to a centralized SIEM for retention and correlation
- Alert on any HTTP request containing both /woshome and encoded or literal traversal sequences
- Monitor file access patterns on the web server host for reads of sensitive files by the HTTP service account
- Track repeated 4xx and 5xx responses on the /woshome path as potential reconnaissance signals
How to Mitigate CVE-2026-8361
Immediate Actions Required
- Restrict network access to the affected service using firewall rules or network segmentation until a patch is applied
- Deploy WAF signatures that block path traversal patterns on any request to /woshome
- Audit web server logs for prior exploitation attempts and rotate any credentials potentially exposed through configuration file reads
- Review the Tenable Security Research Advisory for vendor-specific patch availability
Patch Information
No vendor patch URL is listed in the NVD entry at the time of publication. Consult the Tenable Security Research Advisory and the affected vendor's security bulletins for the latest patch availability and upgrade guidance.
Workarounds
- Block all external HTTP requests targeting the /woshome URL prefix at the reverse proxy or load balancer
- Configure the web server to reject URLs containing .., %2e%2e, or other encoded traversal sequences before they reach WOSDefaultHttpModule.dll
- Run the web service under a low-privileged account with filesystem access restricted to only the directories required for operation
- Disable the WOSDefaultHttpModule component if it is not required for production workloads
# Example nginx reverse proxy rule to block traversal attempts on /woshome
location /woshome {
if ($request_uri ~* "(\.\./|\.\.%2f|\.\.%5c|%2e%2e)") {
return 403;
}
proxy_pass http://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
