Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request.
AnalysisAI
Directory traversal in the OpenDaylight Controller v12.0.5 cluster-admin:backup-datastore component allows unauthenticated remote attackers to read arbitrary files outside the intended backup directory via a crafted request. A public proof-of-concept exists on GitHub (majdlatah/ODL-Path-Traversal), though no active exploitation has been reported and EPSS scoring places real-world exploitation probability at the 16th percentile.
Technical ContextAI
OpenDaylight (ODL) is an open-source modular SDN controller platform used to manage network infrastructure in data centers and carrier environments. The affected cluster-admin:backup-datastore is an administrative RPC/REST endpoint within the controller's clustering subsystem responsible for producing datastore backups for the Akka-based cluster. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) indicates the endpoint accepts a user-supplied path or filename parameter and concatenates it into a filesystem operation without normalizing or constraining traversal sequences such as '../', allowing the request to escape the intended backup output directory.
RemediationAI
No vendor-released patch identified at time of analysis - the references include the OpenDaylight Titanium release notes and a PoC repository but no fixed-version advisory. Until OpenDaylight publishes a patched release, restrict network access to the controller's RESTCONF/JSON-RPC management endpoints (typically TCP 8181/8185) to trusted management subnets only, and ensure AAA (ODL's odl-aaa-shiro) is enabled with non-default credentials so the cluster-admin:backup-datastore RPC cannot be invoked anonymously - note this breaks any automation that relies on unauthenticated cluster RPCs. As an additional control, monitor for and block requests to the backup-datastore endpoint containing traversal sequences ('../', encoded variants, or absolute paths), accepting the trade-off that some legitimate backup tooling using parameterized paths may be impacted. Track the OpenDaylight release notes link above for the fixed version announcement.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34866
GHSA-wq62-rvp9-jp4w