Threat Advisory

WsgiDAV Vulnerabilities Enable Filesystem Escape

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-48099 with a CVSS score of 7.1 is a path traversal vulnerability in the WsgiDAV package, specifically affecting versions <= 4.3.3, which allows an attacker to escape the configured filesystem share root by sending a WebDAV request containing an encoded parent-directory segment, exploiting the fact that the `FilesystemProvider._loc_to_file_path()` method is not path-boundary aware, enabling an attacker with access to the WebDAV share, potentially anonymously or as an authenticated user, to operate on files outside the intended share root via the WSGI/server layer, gaining the capability to read, modify, or delete files, resulting in a significant business impact, including potential data breaches and system compromise, if the deployment uses a filesystem-backed WsgiDAV share and the attacker can send WebDAV requests accepted by that share, and prerequisites for exploitation include the existence of a sibling or neighboring path whose absolute path starts with the configured root path string, and the WsgiDAV process having OS permissions for the outside path.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-48099 with a CVSS score of 7.1 is a path traversal vulnerability in the WsgiDAV package, specifically affecting versions <= 4.3.3, which allows an attacker to escape the configured filesystem share root by sending a WebDAV request containing an encoded parent-directory segment, exploiting the fact that the `FilesystemProvider._loc_to_file_path()` method is not path-boundary aware, enabling an attacker with access to the WebDAV share, potentially anonymously or as an authenticated user, to operate on files outside the intended share root via the WSGI/server layer, gaining the capability to read, modify, or delete files, resulting in a significant business impact, including potential data breaches and system compromise, if the deployment uses a filesystem-backed WsgiDAV share and the attacker can send WebDAV requests accepted by that share, and prerequisites for exploitation include the existence of a sibling or neighboring path whose absolute path starts with the configured root path string, and the WsgiDAV process having OS permissions for the outside path.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update WsgiDAV to version 4.3.4.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-wxq4-cc2q-338q

[/emaillocker]
crossmenu