CVE-2026-1776: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in owen2345 Camaleon CMS
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.
AI Analysis
Technical Summary
The vulnerability (CVE-2026-1776) in Camaleon CMS arises from improper limitation of pathname to a restricted directory (CWE-22) in the AWS S3 uploader implementation. Specifically, the download_private_file functionality does not validate file paths properly when using the CamaleonCmsAwsUploader backend, allowing directory traversal sequences via the file parameter. This enables any authenticated user, including low-privileged ones, to access sensitive files on the server such as /etc/passwd. This issue affects versions 2.4.5.0 through 2.9.0 before commit f54a77e and represents a bypass of the incomplete fix for CVE-2024-46987. The vulnerability is relevant only to deployments configured with the AWS S3 storage backend.
Potential Impact
An authenticated user with low privileges can exploit this vulnerability to read arbitrary files on the web server's filesystem, potentially exposing sensitive information. This compromises confidentiality but does not directly indicate impact on integrity or availability. The vulnerability bypasses a previous fix, indicating prior incomplete remediation. The CVSS 4.0 score of 6 (medium severity) reflects the network attack vector, low attack complexity, and required privileges.
Mitigation Recommendations
A patch is available for this vulnerability. Users of Camaleon CMS versions 2.4.5.0 through 2.9.0 using the AWS S3 uploader backend should apply the patch corresponding to commit f54a77e or later to remediate the issue. Since this is a cloud service component, verify with the vendor advisory for confirmation of patch deployment or updates. No additional mitigation steps are indicated beyond applying the official fix.
CVE-2026-1776: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in owen2345 Camaleon CMS
Description
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.
CVSS v4.0
Score 6.0medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability (CVE-2026-1776) in Camaleon CMS arises from improper limitation of pathname to a restricted directory (CWE-22) in the AWS S3 uploader implementation. Specifically, the download_private_file functionality does not validate file paths properly when using the CamaleonCmsAwsUploader backend, allowing directory traversal sequences via the file parameter. This enables any authenticated user, including low-privileged ones, to access sensitive files on the server such as /etc/passwd. This issue affects versions 2.4.5.0 through 2.9.0 before commit f54a77e and represents a bypass of the incomplete fix for CVE-2024-46987. The vulnerability is relevant only to deployments configured with the AWS S3 storage backend.
Potential Impact
An authenticated user with low privileges can exploit this vulnerability to read arbitrary files on the web server's filesystem, potentially exposing sensitive information. This compromises confidentiality but does not directly indicate impact on integrity or availability. The vulnerability bypasses a previous fix, indicating prior incomplete remediation. The CVSS 4.0 score of 6 (medium severity) reflects the network attack vector, low attack complexity, and required privileges.
Mitigation Recommendations
A patch is available for this vulnerability. Users of Camaleon CMS versions 2.4.5.0 through 2.9.0 using the AWS S3 uploader backend should apply the patch corresponding to commit f54a77e or later to remediate the issue. Since this is a cloud service component, verify with the vendor advisory for confirmation of patch deployment or updates. No additional mitigation steps are indicated beyond applying the official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-02T18:05:13.516Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Is Cloud Service
- true
Threat ID: 69af3955ea502d3aa8c59c75
Added to database: 3/9/2026, 9:19:17 PM
Last enriched: 5/14/2026, 2:05:59 AM
Last updated: 6/12/2026, 12:20:41 PM
Views: 211
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.