{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/937808#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nCasdoor contains an arbitrary file write vulnerability in the implementation of its \"Local File System\" storage provider. Due to insufficient sanitization of user-supplied paths, an authenticated user with file upload permissions can escape the intended storage directory and write files elsewhere on the target filesystem. The vulnerability allows attackers to bypass Casdoor’s storage sandbox and perform unauthorized actions with the privileges of the Casdoor runtime user.\r\n\r\n### Description\r\nCasdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services for applications. Internally, it uses its Local File System storage provider to save files to a dedicated `$CASDOOR/files/` directory.\r\n\r\nDuring a file upload via the `/api/upload-resource` endpoint, the Casdoor application determines the target storage filepath by concatenating the user-supplied parameters `pathPrefix` and `fullFilePath`. However, values provided for `pathPrefix` are not properly sanitized, so directory traversal sequences such as `../../` are accepted without any integrity or permission checks beyond those of the OS user running the Casdoor process. The application does not verify that the destination filepath remains inside the dedicated storage directory, and it will create or overwrite any file that the Casdoor process has permission to modify. \r\n\r\n**CVE-2026-6815** An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with file upload privileges can perform a path traversal attack to create or overwrite arbitrary files elsewhere on the host filesystem, bypassing the application's intended storage sandbox.\r\n\r\n### Impact\r\nSuccessful exploitation enables arbitrary file creation and modification on the host system, which can be used by an attacker to:\r\n* Overwrite any file that is accessible to the Casdoor process.\r\n* Establish persistence by creating scheduled tasks or cron jobs through the filesystem as the Casdoor user.\r\n* Overwrite Casdoor’s backend database file `casdoor.db`, causing authentication services to fail and locking out all users and dependent applications.\r\n\r\nExploitation of this vulnerability requires the attacker to possess an authenticated session with sufficient permissions to manage storage providers and interact with the resource upload API. Depending on the privileges of the Casdoor service account, this vulnerability may allow escalation from application-level access to full host compromise.\r\n\r\n### Solution\r\nA pull request has been submitted to the Casdoor repository that implements proper validation of storage paths, available here: https://github.com/casdoor/casdoor/pull/5458 .  Otherwise, deployments should limit administrative access and restrict the filesystem permissions of the Casdoor service account. Administrators should avoid using the Local File System provider or disable this service in multi-user or exposed environments.\r\n\r\n### Acknowledgements\r\nThanks to Danilo Dell'Orco for researching and reporting this vulnerability. This document was written by Molly Jaconski.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/937808"}],"title":"Casdoor contains Arbitrary File Write vulnerability","tracking":{"current_release_date":"2026-05-11T14:48:54+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.39"}},"id":"VU#937808","initial_release_date":"2026-05-11 14:48:18.838812+00:00","revision_history":[{"date":"2026-05-11T14:48:54+00:00","number":"1.20260511144854.2","summary":"Released on 2026-05-11T14:48:54+00:00"}],"status":"final","version":"1.20260511144854.2"}},"vulnerabilities":[{"title":"An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider.","notes":[{"category":"summary","text":"An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application's intended storage sandbox."}],"cve":"CVE-2026-6815","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#937808"}]}],"product_tree":{"branches":[]}}