Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-5g75-477j-2c2f: LaunchServer FileServerHandler has an unauthenticated path traversal issue

0
Critical
Published: 07/02/2026 (07/02/2026, 20:49:18 UTC)
Source: GCVE Database
Product: pro.gravit.launcher:launchserver-api

Description

An unauthenticated path traversal vulnerability in GravitLauncher LaunchServer (≤ 5.7.11) allows remote attackers to read arbitrary files accessible by the LaunchServer process. This includes sensitive files such as private keys used for signing JWT access tokens, refresh-token salts, and database credentials. The vulnerability arises from improper normalization of request paths, enabling traversal outside the intended directory. The file server is enabled by default and listens on all interfaces without authentication, exposing critical secrets. Exploitation requires sending a specially crafted HTTP GET request without a leading slash, which bypasses normal path normalization. This leads to full authentication bypass and potential full system compromise.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected software

Mavenghsa
pro.gravit.launcher:launchserver-api
Affected versions
<=5.7.11

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 23:05:42 UTC

Technical Analysis

The LaunchServer HTTP file server component (FileServerHandler) in GravitLauncher LaunchServer versions up to 5.7.11 has an unauthenticated path traversal flaw. The vulnerability is due to improper handling of request-targets that do not start with a slash, causing the path normalization logic to fail and allowing resolution of file paths outside the intended updates directory. This enables attackers to read any file readable by the LaunchServer process, including critical secrets such as the ECDSA private key (.keys/ecdsa_id), refresh-token salt (.keys/legacySalt), and database credentials (LaunchServer.json). The file server is enabled by default, bound to 0.0.0.0:9274, and does not require authentication, making exploitation straightforward via raw socket HTTP GET requests without a leading slash. Normal HTTP clients and proxies that normalize paths block this vector, but direct exposure or TCP-level proxies remain vulnerable. The flaw allows attackers to forge valid access tokens for any account, including admins, resulting in full authentication bypass and system compromise.

Potential Impact

Unauthenticated remote attackers can read arbitrary files accessible to the LaunchServer process, including private keys used to sign JWT access tokens, refresh-token salts, and database credentials. This enables attackers to mint valid access tokens for any user, including administrators, effectively bypassing authentication. The exposure of these secrets can lead to full system compromise, unauthorized access, and data breaches. The vulnerability also allows reading other sensitive files such as configuration and system files, increasing the attack surface.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Suggested fixes include re-normalizing the resolved file path and verifying it remains within the intended base directory, rejecting request targets that do not start with a leading slash, and binding the file server to localhost (127.0.0.1) by default. Deployments should firewall or restrict access to port 9274 to prevent direct exposure. Use of a normalizing L7 reverse proxy (e.g., stock nginx with path normalization) can block the primary attack vector by rejecting no-leading-slash requests. Until an official fix is available, restrict network access to the vulnerable service and monitor for suspicious activity.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-5g75-477j-2c2f
Osv Schema Version
1.4.0
Aliases
["CVE-2026-54617"]
Ecosystems
["Maven"]
Database Specific Severity
CRITICAL
Cvss Version
3.1

Threat ID: 6a46ecae27e9c7971943b8d9

Added to database: 07/02/2026, 22:56:46 UTC

Last enriched: 07/02/2026, 23:05:42 UTC

Last updated: 07/02/2026, 23:05:42 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses