OctoPrint Vulnerability Enables File Exfiltration

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in OctoPrint versions up to 1.11.7 and 2.0.0rc2, which allow for file exfiltration via query parameters on upload endpoints. The vulnerabilities are of the file exfiltration type, where an attacker with the FILE_UPLOAD permission can move files into the upload folder and download them. This poses a significant business risk, as it could lead to the exfiltration of sensitive information, including secrets stored in OctoPrint's config or system files, potentially impacting the availability of the host.[emaillocker id="1283"]

CVE-2026-54134 with a CVSS score of 7.0 – This vulnerability allows an attacker to exfiltrate files from the host by moving them into the upload folder, where they can be downloaded. The attacker must have the FILE_UPLOAD permission to exploit this vulnerability, and it can be done by sending malicious query parameters to affected endpoints such as /api /files /{local|sdcard}, /api /languages, /plugin /backup /restore, and /plugin /pluginmanager /upload_file.

The overall risk and urgency of these vulnerabilities are high, as they could lead to significant business consequences if exploited, including the loss of sensitive information and potential disruption to business operations. If an attacker were to exploit these vulnerabilities, they could exfiltrate sensitive data, potentially leading to financial loss, reputational damage, and regulatory penalties. The potential impact on business operations could also be significant, as the exfiltration of sensitive information could compromise the integrity of business systems and data.

RECOMMENDATION:

We recommend you to update OctoPrint to version 1.11.8 or 2.0.0rc3.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-j4h9-pm27-4rfw