What is the CVSS score of CVE-2026-3839?

CVE-2026-3839 has a CVSS 3.0 base score of 7.3 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.3%.

Which versions of PHP are affected by CVE-2026-3839?

CVE-2026-3839 is an unauthenticated remote access vulnerability affecting all versions of Unraid that could allow attackers to bypass login controls and gain full system access without credentials.

How to fix or mitigate CVE-2026-3839?

Within 24 hours: Inventory all Unraid deployments and restrict network access to auth-request.php via firewall rules; document current access logs for signs of exploitation. Within 7 days: Implement WAF rules to block suspicious path traversal patterns targeting auth-request.php; consider disabling remote authentication if not operationally critical. Within 30 days: Monitor vendor (Lime Technology) for patch release; evaluate alternative authentication mechanisms or air-gapping critical Unraid systems from untrusted networks until patched.

PHP CVE-2026-3839

EUVD-2026-12168 HIGH

Path Traversal (CWE-22)

2026-03-13 zdi

Authentication Bypass PHP Path Traversal Unraid

7.3

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

7.3 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 13, 2026 - 21:01 euvd

EUVD-2026-12168

Analysis Generated

Mar 13, 2026 - 21:01 vuln.today

CVE Published

Mar 13, 2026 - 20:38 nvd

HIGH 7.3

DescriptionCVE.org

Unraid Authentication Request Path Traversal Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Unraid. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the auth-request.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in authentications. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-28912.

AnalysisAI

Critical authentication bypass vulnerability in Unraid's auth-request.php file that allows remote attackers to gain unauthorized access without credentials through path traversal exploitation. The vulnerability affects all versions of Unraid (CPE indicates no version restrictions) and can be exploited over the network with low complexity, potentially compromising system confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send crafted path traversal request to auth-request.php

Exploit

Bypass authentication validation checks

Impact

Gain unauthorized system access

Access

Send crafted path traversal request to auth-request.php

Exploit

Bypass authentication validation checks

Impact

Gain unauthorized system access

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against default Unraid installations with auth-request.php endpoint accessible over network. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.0 score of 7.3 (High) accurately reflects the severity given the network attack vector (AV:N), low complexity (AC:L), and no required privileges (PR:N) or user interaction (UI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker can remotely exploit this vulnerability by sending specially crafted HTTP requests to the auth-request.php endpoint with path traversal sequences (e.g., '../' patterns) to bypass authentication checks. Since no authentication or user interaction is required, automated scanning and exploitation is feasible. …
Remediation	No specific patch version or remediation steps are available in the provided intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Unraid deployments and restrict network access to auth-request.php via firewall rules; document current access logs for signs of exploitation. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-3839 vulnerability details – vuln.today

Back

PHP CVE-2026-3839

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code