Daptin, Unauthenticated Path Traversal and Zip Slip, CVE-None (Critical)

Listen to this Post

The vulnerability exists in the `cloudstore.file.upload` action defined in server/actions/action_cloudstore_file_upload.go. This action accepts multipart file uploads without any authentication checks. The handler extracts the `filename` from the `Content-Disposition` header of each uploaded part. It then concatenates this filename directly with a base directory path using `filepath.Join()` but does not sanitize or validate the resulting path. An attacker can supply filenames containing `../` sequences (e.g., ../../etc/passwd) to traverse outside the intended upload directory, achieving arbitrary file write. Additionally, when a ZIP archive is uploaded, the action extracts its contents using `archive/zip` without validating entry paths. A malicious ZIP can contain entries with `../` prefixes or absolute paths, leading to Zip Slip. The combination allows overwriting critical system files, planting SSH keys, or writing web shells. Because the action is unauthenticated and exposed over HTTP, any remote attacker can exploit this. The written files inherit the permissions of the Daptin process (often root in containers or high-privilege user). Successful exploitation leads to arbitrary file write and remote code execution (e.g., writing a cron job or a reverse‑shell script). The CVSS score is 10.0 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H, indicating network exploitable, low complexity, no privileges, no user interaction, scope changed, high integrity and availability impact but no confidentiality impact. No patch is available as of the advisory date (Apr 10, 2026); all versions ≤ v0.11.3 (the latest release) are vulnerable.

DailyCVE Form:

Platform: Daptin
Version: ≤0.11.3
Vulnerability: Path Traversal/Zip Slip
Severity: Critical
date: Apr 10 2026

Prediction: Apr 17 2026

What Undercode Say:

Check if vulnerable endpoint exists
curl -X POST http://target:8080/api/cloudstore.file.upload \
-F "[email protected]" \
-F "filename=../../../../tmp/shell.jsp"
Extract zip slip payload
echo "PK\x03\x04" > evil.zip
zip -r evil.zip ../../../../etc/cron.d/revshell
Test path traversal write
curl -X POST http://target:8080/api/cloudstore.file.upload \
-F "[email protected]" \
-F "filename=../../../var/www/html/shell.php"
Monitor file creation
inotifywait -m /var/lib/daptin/cloudstore/

Exploit:

  1. Craft a ZIP archive with entry names like ../../../../root/.ssh/authorized_keys.
  2. Send multipart POST to `/api/cloudstore.file.upload` with the ZIP file.
  3. Daptin extracts entries directly, writing files outside the sandbox.
  4. Alternatively, send a single file with filename `../../../../etc/passwd` to overwrite system files.
  5. After writing a web shell, execute commands via HTTP GET to the shell.
  6. For RCE, write a systemd service file or a cron job that downloads a reverse shell.

Protection from this CVE:

  • Upgrade to a patched version once released (none yet).
  • Restrict network access to the `/api/cloudstore.file.upload` endpoint via firewall or reverse proxy (allow only trusted IPs).
  • Implement authentication middleware for all `cloudstore.` actions in Daptin configuration (e.g., require JWT).
  • Use a Web Application Firewall (WAF) to block requests containing `../` or `PK\x03\x04` in filename parameters.
  • Deploy filesystem isolation (e.g., mount the upload directory as `noexec` and with nosuid).
  • Run Daptin inside a container with read‑only root filesystem and minimal privileges.

Impact:

  • Arbitrary file write – Attackers can create, overwrite, or delete any file accessible to the Daptin process.
  • Remote Code Execution – By writing executable files (scripts, binaries, cron jobs, SSH keys) and triggering their execution.
  • System compromise – Full control over the host if Daptin runs as root or with high privileges.
  • Data integrity loss – Critical configuration files can be altered, leading to denial of service or privilege escalation.
  • Lateral movement – Planted SSH keys or backdoors enable access to other internal systems.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top