CVE-2026-2331
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.
Analysis
Unauthenticated file read/write via AppEngine Fileaccess over HTTP.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all AppEngine deployments and identify which versions are affected; immediately isolate or disable public HTTP access to AppEngine Fileaccess endpoints. Within 7 days: Implement network segmentation to restrict AppEngine traffic; deploy Web Application Firewall (WAF) rules to block suspicious file access patterns; conduct forensic analysis for signs of exploitation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today