Normal view
-
CERT Recently Published Vulnerability Notes
- VU#937808: Casdoor contains Arbitrary File Write vulnerability
VU#937808: Casdoor contains Arbitrary File Write vulnerability
Overview
Casdoor contains an arbitrary file write vulnerability in the implementation of its "Local File System" storage provider. Due to insufficient sanitization of user-supplied paths, an authenticated user with file upload permissions can escape the intended storage directory and write files elsewhere on the target filesystem. The vulnerability allows attackers to bypass Casdoorβs storage sandbox and perform unauthorized actions with the privileges of the Casdoor runtime user.
Description
Casdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services for applications. Internally, it uses its Local File System storage provider to save files to a dedicated $CASDOOR/files/ directory.
During a file upload via the /api/upload-resource endpoint, the Casdoor application determines the target storage filepath by concatenating the user-supplied parameters pathPrefix and fullFilePath. However, values provided for pathPrefix are not properly sanitized, so directory traversal sequences such as ../../ are accepted without any integrity or permission checks beyond those of the OS user running the Casdoor process. The application does not verify that the destination filepath remains inside the dedicated storage directory, and it will create or overwrite any file that the Casdoor process has permission to modify.
CVE-2026-6815 An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with file upload privileges can perform a path traversal attack to create or overwrite arbitrary files elsewhere on the host filesystem, bypassing the application's intended storage sandbox.
Impact
Successful exploitation enables arbitrary file creation and modification on the host system, which can be used by an attacker to:
* Overwrite any file that is accessible to the Casdoor process.
* Establish persistence by creating scheduled tasks or cron jobs through the filesystem as the Casdoor user.
* Overwrite Casdoorβs backend database file casdoor.db, causing authentication services to fail and locking out all users and dependent applications.
Exploitation of this vulnerability requires the attacker to possess an authenticated session with sufficient permissions to manage storage providers and interact with the resource upload API. Depending on the privileges of the Casdoor service account, this vulnerability may allow escalation from application-level access to full host compromise.
Solution
A pull request has been submitted to the Casdoor repository that implements proper validation of storage paths, available here: https://github.com/casdoor/casdoor/pull/5458 . Otherwise, deployments should limit administrative access and restrict the filesystem permissions of the Casdoor service account. Administrators should avoid using the Local File System provider or disable this service in multi-user or exposed environments.
Acknowledgements
Thanks to Danilo Dell'Orco for researching and reporting this vulnerability. This document was written by Molly Jaconski.
Vendor Information
Other Information
| CVE IDs: | CVE-2026-6815 |
| Date Public: | 2026-05-11 |
| Date First Published: | 2026-05-11 |
| Date Last Updated: | 2026-05-11 14:48 UTC |
| Document Revision: | 2 |
Why Changing Passwords Doesnβt End an Active Directory Breach
Google: Hackers used AI to develop zero-day exploit for web admin tool
Webinar this week: Prevention alone is not enough against modern attacks
-
Data and computer security | The Guardian

- Palantirβs access to identifiable NHS England patient data is βdangerousβ, MPs say
Palantirβs access to identifiable NHS England patient data is βdangerousβ, MPs say
Health service has given US tech firm βunlimited accessβ to certain data to build integrated platform, according to reports
MPs have warned that an NHS decision to grant Palantir access to identifiable patient information in its plan to use AI to improve the health service is βdangerousβ and will fuel public fears that data privacy is not being prioritised.
NHS England has allowed staff from the US tech firm and other contractors to access patient data before it has been pseudonymised, despite internal fears of a βrisk of loss of public confidenceβ, the Financial Times reported.
Continue reading...
Β© Photograph: David Levene/The Guardian

Β© Photograph: David Levene/The Guardian

Β© Photograph: David Levene/The Guardian
TrickMo Android banker adopts TON blockchain for covert comms
GROWI vulnerable to path traversal
-
JVNRSS Feed - Update Entry
- Canon Production Printers and Office Multifunction Printers vulnerable to information disclosure
Canon Production Printers and Office Multifunction Printers vulnerable to information disclosure
"Kura Sushi Official App" vulnerable to improper certificate validation
libXpm vulnerable to out-of-bounds read
Lhaz and Lhaz+ vulnerable to path traversal
Hackers abuse Google ads, Claude.ai chats to push Mac malware
Police shut down reboot of Crimenetwork marketplace, arrest admin
JDownloader site hacked to replace installers with Python RAT malware
Fake OpenAI repository on Hugging Face pushes infostealer malware
-
CERT Recently Published Vulnerability Notes
- VU#260001: Linux kernel contains local privilege escalation vulnerability (Copy Fail)
VU#260001: Linux kernel contains local privilege escalation vulnerability (Copy Fail)
Overview
A privilege escalation vulnerability has been discovered in Linux kernel versions version 4.17 (released 2017) and later. Many popular distributions and Linux-based containers are affected. This vulnerability was publicly disclosed on April 29, 2026, has been assigned CVE ID CVE-2026-31431, and is commonly referred to as "Copy Fail."
Description
The Linux kernel, since version 4.17, includes the algif_aead module, which provides user space access to authenticated encryption with associated data (AEAD) operations via the AF_ALG interface. This module may be available as a loadable kernel module or compiled directly into the kernel, depending on the Linux distribution or the custom built Linux install.
According to the https://copy.fail disclosure statement:
An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.
The vulnerability is caused by a logic flaw in the Linux kernelβs algif_aead (AF_ALG) implementation. An unprivileged local user can reliably perform a controlled 4-byte write into the page cache of any readable file without race conditions or timing dependencies.
Critically, the corrupted page is not marked dirty, so the modified contents are never written back to disk. The underlying file remains unchanged, allowing the in-memory corruption to bypass checksum and file integrity verification mechanisms. Because subsequent reads are served from the page cache, an attacker can target a setuid binary and modify its in-memory contents to achieve local privilege escalation to root.
A 732-byte proof-of-concept Python script demonstrates exploitation by modifying a setuid binary to obtain root privileges on many Linux distributions released since 2017. This vulnerability was discovered by Taeyang Lee of Theori, with assistance from their AI-based static application security testing (SAST) tool, Xint Code, during analysis of the Linux kernel cryptographic subsystem.
Impact
This vulnerability allows an unprivileged local user to modify the in-memory contents of a setuid binary and escalate privileges to root. Public proof-of-concept (PoC) exploit code is available, therefore increasing the likelihood of exploitation.
Solution
Patch the Kernel
Apply the upstream kernel patch that addresses the issue by reverting AF_ALG AEAD to an out-of-place operation.
Update Linux distribution
Update your distributionβs kernel package as soon as vendor patches become available. Most major Linux distributions are expected to release fixes through their standard update channels.
Workarounds (if patching is not immediately possible):
-
Disable the
algif_aeadmodule (if loadable):
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null
This prevents the module from being loaded and removes it if already active. -
If
algif_aeadis compiled into the kernel (not a dynamic module), the following parameter can be added to grub or systemd-boot or grubby depending on your boot configuration:
initcall_blacklist=algif_aead_init
This prevents the module from initializing at boot time. A system reboot is required for this change to take effect.
Note: These workarounds may impact applications that rely on AF_ALG cryptographic interfaces.
Mitigation for containers
For containerized environments, where this vulnerability may be leveraged for container escape, consider applying one or more of the following mitigations:
- Secure computing (seccomp) filtering: Restrict or deny system calls that create sockets using the AF_ALG address family (protocol 38).
- AppArmor policies: Use AppArmor to block creation of AF_ALG sockets via the network alg rule.
- eBPF-based enforcement: Deploy BPF-based controls to deny socket creation with address family AF_ALG (38).
This is adopted from the guidance provided by bytedance for the vArmor community.
Note on Virtualization
While the internal kernel within a virtual machine (VM) or MicroVM is susceptible to this vulnerability, standard virtualization provides hardware-enforced memory isolation. This bug cannot be directly leveraged to facilitate a virtualization escape from a guest to the host. Virtualization and micro-virtualization technologies effectively contain the impact to the individual VM instance, protecting the host kernel and neighboring tenants from guest-originated attacks.
Acknowledgements
This vulnerability was disclosed by Theori.io research group. This document was written by Bob Kemerer and Vijay Sarvepalli.
Vendor Information
References
- https://xint.io/blog/copy-fail-linux-distributions
- https://nvd.nist.gov/vuln/detail/CVE-2026-31431
- https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
- https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
- https://copy.fail/
- https://github.com/theori-io/copy-fail-CVE-2026-31431
- https://www.stream.security/post/cve-2026-31431-how-copy-fail-behaves-in-kubernetes
- https://github.com/iwanhae/copyfail-ebpf-k8s
Other Information
| CVE IDs: | CVE-2026-31431 |
| Date Public: | 2026-05-08 |
| Date First Published: | 2026-05-08 |
| Date Last Updated: | 2026-05-08 20:10 UTC |
| Document Revision: | 3 |