{"vuid":"VU#937808","idnumber":"937808","name":"Casdoor contains Arbitrary File Write vulnerability","keywords":null,"overview":"### Overview\r\nCasdoor contains an arbitrary file write vulnerability in the implementation of its \"Local File System\" storage provider. Due to insufficient sanitization of user-supplied paths, an authenticated user with file upload permissions can escape the intended storage directory and write files elsewhere on the target filesystem. The vulnerability allows attackers to bypass Casdoor’s storage sandbox and perform unauthorized actions with the privileges of the Casdoor runtime user.\r\n\r\n### Description\r\nCasdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services for applications. Internally, it uses its Local File System storage provider to save files to a dedicated `$CASDOOR/files/` directory.\r\n\r\nDuring a file upload via the `/api/upload-resource` endpoint, the Casdoor application determines the target storage filepath by concatenating the user-supplied parameters `pathPrefix` and `fullFilePath`. However, values provided for `pathPrefix` are not properly sanitized, so directory traversal sequences such as `../../` are accepted without any integrity or permission checks beyond those of the OS user running the Casdoor process. The application does not verify that the destination filepath remains inside the dedicated storage directory, and it will create or overwrite any file that the Casdoor process has permission to modify. \r\n\r\n**CVE-2026-6815** An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with file upload privileges can perform a path traversal attack to create or overwrite arbitrary files elsewhere on the host filesystem, bypassing the application's intended storage sandbox.\r\n\r\n### Impact\r\nSuccessful exploitation enables arbitrary file creation and modification on the host system, which can be used by an attacker to:\r\n* Overwrite any file that is accessible to the Casdoor process.\r\n* Establish persistence by creating scheduled tasks or cron jobs through the filesystem as the Casdoor user.\r\n* Overwrite Casdoor’s backend database file `casdoor.db`, causing authentication services to fail and locking out all users and dependent applications.\r\n\r\nExploitation of this vulnerability requires the attacker to possess an authenticated session with sufficient permissions to manage storage providers and interact with the resource upload API. Depending on the privileges of the Casdoor service account, this vulnerability may allow escalation from application-level access to full host compromise.\r\n\r\n### Solution\r\nA pull request has been submitted to the Casdoor repository that implements proper validation of storage paths, available here: https://github.com/casdoor/casdoor/pull/5458 .  Otherwise, deployments should limit administrative access and restrict the filesystem permissions of the Casdoor service account. Administrators should avoid using the Local File System provider or disable this service in multi-user or exposed environments.\r\n\r\n### Acknowledgements\r\nThanks to Danilo Dell'Orco for researching and reporting this vulnerability. This document was written by Molly Jaconski.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":[],"cveids":["CVE-2026-6815"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-05-11T14:48:18.993223Z","publicdate":"2026-05-11T14:48:18.838812Z","datefirstpublished":"2026-05-11T14:48:19.004991Z","dateupdated":"2026-05-11T14:48:54.693600Z","revision":2,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":194}