CVE-2026-32731 is a critical path traversal vulnerability classified under CWE-22 affecting the import-export module of ApostropheCMS versions prior to 3.5.3. The vulnerability exists in the extract() function within gzip.js, which uses Node.js's path.join() to construct file paths for extracting tar archive entries. However, path.join() does not sanitize or resolve path traversal sequences such as '../', allowing an attacker to craft tar entries with filenames like '../../evil.js' that escape the intended extraction directory. Since no canonical path validation or sanitization is performed before opening the write stream, the attacker-controlled file can be written anywhere on the host filesystem accessible to the Node.js process. Exploitation requires the attacker to have the Global Content Modify permission, a role commonly assigned to content editors and site managers, enabling them to upload malicious .tar.gz files via the standard CMS import interface. This leads to arbitrary file write capabilities, which can be leveraged to overwrite critical files, implant backdoors, or escalate privileges, severely compromising system confidentiality, integrity, and availability. The vulnerability has a CVSS v3.1 score of 10.0 (critical), with network attack vector, low attack complexity, privileges required, no user interaction, and scope change. Although no known exploits are reported in the wild yet, the severity and ease of exploitation make this a high-risk vulnerability. The issue is fixed in version 3.5.3 of @apostrophecms/import-export by implementing proper path sanitization and validation before file extraction.

This vulnerability allows an attacker with limited privileges (Global Content Modify permission) to write arbitrary files anywhere on the host filesystem accessible to the Node.js process running ApostropheCMS. The impact includes potential full system compromise through overwriting critical system or application files, implanting malicious scripts or backdoors, and disrupting service availability. Confidentiality is at risk as attackers can overwrite or replace sensitive files, potentially exfiltrating data or modifying content. Integrity is compromised by unauthorized file modifications, and availability can be affected if critical files are corrupted or deleted. Since the vulnerability is exploitable remotely via the CMS import UI, attackers can leverage it to gain persistent access or pivot within the network. Organizations relying on ApostropheCMS for content management, especially those with multiple users assigned Global Content Modify roles, face significant risk of targeted attacks, data breaches, and operational disruption.

Organizations should immediately upgrade the @apostrophecms/import-export module to version 3.5.3 or later, where the vulnerability is fixed. Until the upgrade is applied, restrict the assignment of the Global Content Modify permission to only trusted users and audit existing roles to minimize exposure. Implement strict input validation and sanitization on uploaded archive files if possible, including rejecting archives containing path traversal sequences. Employ runtime security controls such as filesystem access restrictions and containerization to limit the Node.js process's filesystem permissions, preventing writes outside designated directories. Monitor logs for suspicious import activities and unexpected file modifications. Additionally, conduct regular security reviews of user permissions and apply the principle of least privilege to reduce the attack surface. Consider deploying web application firewalls (WAFs) with rules to detect and block malicious archive uploads.