CVE-2026-40163

HighPublic PoC

Published: 10 April 2026

Published

10 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0012 30.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the…

server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates user-supplied path inputs to the /sync/offline_changes and /sync/upload_finished endpoints, preventing path traversal that enables arbitrary directory creation, file writes, and reads.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to block unauthenticated filesystem modifications and directory traversals via the vulnerable endpoints.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Restricts dangerous actions like arbitrary file writes and directory listings to only explicitly permitted unauthenticated operations, excluding these vulnerable endpoints.

Security SummaryAI

CVE-2026-40163 is a path traversal vulnerability (CWE-22) affecting Saltcorn, an extensible open-source no-code database application builder. In versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint enables unauthenticated attackers to create arbitrary directories and write attacker-controlled changes.json files anywhere on the server filesystem. Additionally, the GET /sync/upload_finished endpoint allows unauthenticated attackers to list contents of arbitrary directories and read specific JSON files. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) and was published on 2026-04-10.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted requests to the affected endpoints, attackers can achieve arbitrary directory creation and manipulation, write malicious JSON content to changes.json files in chosen locations, enumerate directory structures, and extract sensitive data from targeted JSON files, potentially leading to information disclosure and filesystem integrity compromise.

The Saltcorn GitHub security advisory (GHSA-32pv-mpqg-h292) confirms the issue and states that it is fixed in Saltcorn versions 1.4.5, 1.5.5, and 1.6.0-beta.4. Security practitioners should upgrade to one of these patched releases to mitigate the vulnerability.

Details

CWE(s): CWE-22

Affected Products

saltcorn

1.6.0 · ≤ 1.4.5 · 1.5.0 — 1.5.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in public-facing web application enables T1190 (Exploit Public-Facing Application). Allows arbitrary directory listing and file reads, mapping to T1083 (File and Directory Discovery).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com