CVE-2026-8736 Overview
CVE-2026-8736 is a path traversal vulnerability [CWE-22] affecting Oinone Pamirs versions up to 7.2.0. The flaw resides in the request.getParameter call within LocalFileClient.java, part of the RestController component. An attacker who manipulates the uniqueFileName argument can traverse the file system outside the intended directory. Exploitation requires physical access to the device along with low-level privileges. A public exploit has been released, and the vendor did not respond to disclosure attempts.
Critical Impact
Authenticated attackers with physical access can read or write files outside the intended directory by manipulating the uniqueFileName parameter, leading to limited confidentiality, integrity, and availability impact.
Affected Products
- Oinone Pamirs versions up to and including 7.2.0
- Component: RestController / LocalFileClient.java
- Vendor: Oinone (unresponsive to disclosure)
Discovery Timeline
- 2026-05-17 - CVE-2026-8736 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8736
Vulnerability Analysis
The vulnerability is a path traversal weakness located in the file-handling logic of LocalFileClient.java inside the RestController component. The application reads the uniqueFileName parameter using request.getParameter and incorporates it into a file system path without sufficient normalization or validation. As a result, an attacker can supply traversal sequences such as ../ to break out of the intended directory.
The attack vector is physical (AV:P), meaning the attacker must interact with the device directly. Low privileges are required, and no user interaction is needed. The impact on confidentiality, integrity, and availability is rated low individually. A proof-of-concept exploit has been released publicly, increasing operational risk despite the constrained access requirements.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory, classified under [CWE-22]. The LocalFileClient.java code accepts user-controlled input from uniqueFileName and constructs a file system path without canonicalizing the result or rejecting traversal sequences. Java APIs such as File.getCanonicalPath() or strict allowlists are not applied to enforce a safe base directory.
Attack Vector
Exploitation requires physical access and authenticated low-privilege access to the affected Oinone Pamirs deployment. The attacker issues an HTTP request to the vulnerable RestController endpoint, supplying a crafted uniqueFileName value containing relative path traversal sequences. The server resolves the manipulated path and operates on files outside the intended storage directory, exposing sensitive data or permitting unauthorized file operations.
No verified exploit code is republished here. Refer to the GitHub Issue Report and VulDB entry #364324 for technical details on the published proof of concept.
Detection Methods for CVE-2026-8736
Indicators of Compromise
- HTTP requests to RestController endpoints containing ../, ..\\, URL-encoded %2e%2e%2f, or double-encoded traversal sequences in the uniqueFileName parameter.
- Application or web server logs showing file access outside the configured upload or storage directory.
- Unexpected reads of sensitive system files such as /etc/passwd, configuration files, or application secrets initiated by the Pamirs process.
Detection Strategies
- Inspect web server and application logs for requests targeting LocalFileClient handlers with suspicious uniqueFileName values.
- Deploy WAF or reverse proxy rules that flag and block path traversal patterns directed at the affected endpoints.
- Use file integrity monitoring on directories outside the intended file storage path to identify unauthorized access by the Pamirs service account.
Monitoring Recommendations
- Enable verbose request logging on the RestController for the duration of remediation activities.
- Alert on parameter values containing encoded or raw traversal tokens (.., %2e, 0x2e).
- Correlate authentication events with file access anomalies on hosts running Oinone Pamirs.
How to Mitigate CVE-2026-8736
Immediate Actions Required
- Restrict network and physical access to Oinone Pamirs instances to trusted operators only.
- Audit logs for prior exploitation attempts referencing uniqueFileName with traversal sequences.
- Place the application behind a WAF with rules that block path traversal payloads against the RestController routes.
Patch Information
No vendor patch is available. According to the disclosure record, the vendor was contacted early but did not respond. Monitor the VulDB advisory #364324 and the GitHub Issue Report for any future fix.
Workarounds
- Implement an upstream filter or proxy that canonicalizes and validates the uniqueFileName parameter before requests reach the application.
- Run the Pamirs service under a dedicated low-privilege account with file system permissions limited to the intended upload directory.
- Apply mandatory access controls such as SELinux or AppArmor profiles to confine the process to its expected file paths.
- Disable or remove the vulnerable LocalFileClient endpoint where business requirements allow.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
