Skip to main content

getssl CVE-2026-10303

| EUVDEUVD-2026-37201 HIGH
External Control of File Name or Path (CWE-73)
2026-06-16 runZero GHSA-9v83-jvh5-6gh3
7.4
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Crafted ACME response yields RCE as the renewal user, so C:H/I:H/A:H; AC:H reflects required CA control or on-path TLS tamper; PR:N/UI:N - no victim creds or interaction.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 19:47 vuln.today
Analysis Generated
Jun 16, 2026 - 19:47 vuln.today

DescriptionCVE.org

In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.

AnalysisAI

Remote command injection in ServerCo getssl 2.49 and prior allows an attacker who controls or tampers with ACME challenge responses (a malicious/compromised CA endpoint or on-path adversary) to write attacker-chosen file paths via tokens that violate RFC 8555 base64url constraints, typically yielding code execution as the privileged user that renews certificates. The issue was reported by runZero, fixed upstream in v2.50, and at the time of analysis there is no public exploit identified and the CVE is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Position on ACME response path or stand up rogue CA
Delivery
Wait for getssl renewal request
Exploit
Return crafted challenge token with traversal/metachars
Install
getssl uses token in path/file operations
C2
File write escapes challenge directory
Execute
Shell interpretation triggers command injection
Impact
Code executes as privileged renewal user

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control the ACME challenge token the victim's getssl instance receives. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 7.4 vector (AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:N) accurately captures the trade-off: no credentials and no user interaction are needed (PR:N/UI:N), but AC:H reflects that the attacker must control or tamper with the ACME server's response channel - either by operating a malicious/compromised CA the victim has configured, or by an on-path TLS-tampering position between getssl and the CA. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An adversary operating a hostile ACME directory the victim has configured, or sitting on-path with the ability to alter the CA's HTTP/TLS responses (e.g., a lawful-intercept appliance or a compromised upstream proxy), returns a challenge token that contains path-traversal segments and shell metacharacters instead of a clean base64url string. When getssl writes the challenge file using that token, the path escapes the challenge directory and/or the shell command line gets reinterpreted, executing attacker-supplied commands as the (often root) user running the renewal. …
Remediation Vendor-released patch: upgrade to getssl v2.50 (https://github.com/srvrco/getssl/releases/tag/v2.50), which lands the validate_token function and basename hardening from PR #896 (https://github.com/srvrco/getssl/pull/896). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all ServerCo getssl installations in production and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy