CVE-2026-28807 is a path traversal vulnerability classified under CWE-22 affecting the gleam-wisp wisp web framework versions 2.1.1 through before 2.2.1. The vulnerability exists in the wisp.serve_static function, which serves static files based on user-supplied paths. The root cause is the order of operations in path sanitization: the function performs sanitization on the input path before percent-decoding URI-encoded characters. This allows an attacker to supply percent-encoded traversal sequences such as %2e%2e (which decodes to '..') that bypass the sanitization step. When the decoded path is used by the operating system to access files, it resolves to directories outside the intended restricted directory, enabling arbitrary file reads. Because the vulnerability can be triggered by a single HTTP request without authentication or user interaction, it poses a significant risk. Exploitable files include application source code, configuration files, environment secrets, and other system files readable by the application process. The vulnerability affects all deployments using vulnerable versions of wisp, a framework used in web applications written in the Gleam language. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality. No known public exploits have been reported yet, but the vulnerability is critical enough to warrant immediate attention.

The impact of CVE-2026-28807 is substantial for organizations using the affected versions of the gleam-wisp wisp framework. An attacker can remotely read arbitrary files accessible to the application process, potentially exposing sensitive information such as source code, configuration files containing credentials or API keys, environment variables, and system files. This can lead to further attacks including credential theft, privilege escalation, and lateral movement within the network. Confidentiality is severely compromised, while integrity and availability are not directly affected. The ease of exploitation without authentication or user interaction increases the risk of automated scanning and mass exploitation attempts once the vulnerability becomes widely known. Organizations relying on wisp for web applications, especially those exposing static file serving functionality, face significant data breach risks and potential regulatory compliance violations if sensitive data is leaked.

To mitigate CVE-2026-28807, organizations should immediately upgrade to wisp version 2.2.1 or later where the vulnerability is fixed. If upgrading is not immediately possible, implement strict input validation to reject any requests containing percent-encoded traversal sequences such as %2e%2e or %2f%2e%2e. Modify or wrap the wisp.serve_static function to perform percent-decoding before sanitization to ensure traversal sequences are properly detected and blocked. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts, including encoded variants. Restrict file system permissions so the application process has minimal read access, limiting the impact of any traversal exploit. Monitor logs for suspicious requests containing encoded traversal patterns and unusual file access. Conduct code reviews and penetration testing focused on static file serving endpoints. Finally, educate developers about secure handling of user input and the importance of decoding before sanitization in URI processing.