CVE-2026-1776 is a path traversal vulnerability (CWE-22) affecting Camaleon CMS versions 2.4.5.0 through 2.9.0 prior to commit f54a77e. The flaw exists in the AWS S3 uploader implementation, specifically in the download_private_file functionality. Unlike the local uploader, the AWS uploader backend fails to validate the file paths using the valid_folder_path? method, allowing directory traversal sequences (e.g., ../) to be injected via the file parameter. This improper validation enables authenticated users, including those with low privileges, to read arbitrary files from the web server's filesystem. The vulnerability effectively bypasses an incomplete fix for CVE-2024-46987. Because the attacker must be authenticated but no further user interaction is needed, the attack surface is limited to registered users but can lead to exposure of sensitive files such as /etc/passwd, which may contain user account information. The vulnerability is network exploitable with low attack complexity and no privileges beyond authentication are required. The CVSS 4.0 vector indicates no impact on integrity or availability but high impact on confidentiality. No patches are linked yet, and no known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized disclosure of sensitive files on the web server hosting Camaleon CMS when configured with the AWS S3 uploader backend. Attackers with low-level authenticated access can read arbitrary files, potentially exposing system configuration, credentials, or other sensitive data. This can lead to further attacks such as privilege escalation, lateral movement, or data leakage. Organizations relying on Camaleon CMS for content management and using AWS S3 storage backend are at risk of confidential data exposure. The vulnerability does not directly affect system integrity or availability but compromises confidentiality, which can undermine trust, violate compliance requirements, and lead to reputational damage. Since the flaw bypasses a previous fix, it indicates incomplete remediation and may affect organizations that believed they were protected. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code could emerge.

Organizations should immediately review their use of the AWS S3 uploader backend in Camaleon CMS and apply the patch corresponding to commit f54a77e or later once available. Until a patch is deployed, administrators should consider disabling the AWS S3 uploader backend or restricting access to the download_private_file functionality to trusted users only. Implement strict input validation and sanitization on the file parameter to prevent directory traversal sequences. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting this functionality. Monitor logs for suspicious file access patterns indicative of traversal exploitation. Conduct a thorough audit of sensitive files accessible via the web server and restrict file system permissions to minimize exposure. Educate users about the risk and ensure that only necessary users have authenticated access to the CMS. Finally, keep the CMS and all plugins updated to incorporate security fixes promptly.