Skip to main content

Suse CVE-2026-33528

MEDIUM
Path Traversal (CWE-22)
2026-03-24 https://github.com/yusing/godoxy
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 24, 2026 - 16:45 vuln.today
Patch released
Mar 24, 2026 - 16:45 nvd
Patch available
CVE Published
Mar 24, 2026 - 16:35 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required").

An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID.

Root Cause

File: internal/api/v1/file/get.go, lines 68-73:

go
func (t FileType) GetPath(filename string) string {
    if t == FileTypeMiddleware {
        return path.Join(common.MiddlewareComposeBasePath, filename)
    }
    return path.Join(common.ConfigBasePath, filename)
}
  • common.ConfigBasePath = "config" - relative path, not absolute
  • path.Join("config", "../certs/key.pem") normalizes to "certs/key.pem" - escaping config/
  • No call to strings.HasPrefix, filepath.Rel, or any containment check exists
  • The format:"filename" struct tag is an OpenAPI/Swagger annotation only, not enforced by the validator

Proof of Concept

Environment

  • GoDoxy v0.27.4 (ghcr.io/yusing/godoxy:latest)
  • Authentication enabled with default credentials (admin/password)

Steps to Reproduce

Step 1 - Authenticate:

Step 2 - Read file outside config/ via path traversal:

http
GET /api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem HTTP/1.1
Host: localhost:8888
Cookie: godoxy_token=<JWT>

HTTP Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 43
Content-Type: application/godoxy+yaml
Expires: 0
Pragma: no-cache

THIS_IS_A_SECRET_PRIVATE_KEY_FOR_AGENT_TLS

<img width="1489" height="286" alt="image" src="https://github.com/user-attachments/assets/05f3464f-20ba-4913-830d-9fcc2fa1a2e3" />

Impact

Files accessible via this vulnerability

Path (relative to config/)ContentsRisk
../certs/agents/{host}.zipCA cert + server cert + TLS private keyImpersonate GoDoxy server to remote agents
../data/oauth_refresh_tokens.jsonOIDC refresh tokens for all active sessionsAccount takeover via token reuse
../../etc/ssl/certs/ca-certificates.crtSystem CA certificatesInformation disclosure
Any file readable by UID 1000Depends on mounted volumesVariable

The PUT /api/v1/file/content endpoint is also affected. While the content must pass YAML schema validation (config or provider format), an attacker can write valid provider YAML files outside config/, potentially injecting malicious route definitions.

Suggested Remediation

Validate that the resolved path remains within the base directory:

go
func (t FileType) GetPath(filename string) (string, error) {
    var base string
    if t == FileTypeMiddleware {
        base = common.MiddlewareComposeBasePath
    } else {
        base = common.ConfigBasePath
    }

    absBase, _ := filepath.Abs(base)
    resolved, _ := filepath.Abs(filepath.Join(base, filename))

    if !strings.HasPrefix(resolved, absBase+string(filepath.Separator)) {
        return "", fmt.Errorf("path traversal detected: %s", filename)
    }

    return resolved, nil
}

AnalysisAI

GoDoxy versions prior to 0.27.5 contain a path traversal vulnerability in the /api/v1/file/content API endpoint that allows authenticated attackers to read and write arbitrary files outside the intended config/ directory. An attacker with valid credentials can exploit this vulnerability to access sensitive files including TLS private keys, OAuth refresh tokens, and system certificates by manipulating the filename query parameter with ../ sequences. A proof-of-concept has been published demonstrating successful extraction of private keys, and the vulnerability carries a CVSS 6.5 score with active patch availability.

Technical ContextAI

The vulnerability exists in GoDoxy (pkg:go/github.com_yusing_godoxy), a containerized configuration and proxy management application written in Go. The root cause is improper input validation in the file content retrieval handler (internal/api/v1/file/get.go), which implements a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability. The application uses Go's path.Join() function with a relative base path (config/) combined with unsanitized user-supplied filename parameters. Since path.Join() performs path normalization without enforcing directory containment, an attacker can traverse parent directories using ../ sequences. The vulnerable code lacks any post-join validation such as filepath.Abs() comparison or strings.HasPrefix() containment checks, allowing normalization to escape the intended directory boundary.

RemediationAI

Immediately upgrade GoDoxy to version 0.27.5 or later, which implements proper path containment validation using filepath.Abs() and strings.HasPrefix() checks as described in the vendor advisory. For organizations unable to patch immediately, implement network-level access controls by restricting access to the /api/v1/file/content API endpoint to trusted internal networks only, disable password authentication in favor of multi-factor authentication or OAuth/OIDC integration to reduce compromised account risk, and audit container image registries to ensure only patched versions are deployed. Additionally, rotate any TLS private keys and OAuth refresh tokens that may have been exposed during the window of vulnerability. Detailed patch information and migration guidance are available at https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33528 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy