Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal.
AnalysisAI
Directory traversal in Northern.tech Mender Server allows a remote authenticated attacker to read files outside intended directory boundaries, resulting in limited confidentiality exposure. Affected versions include v4.1.0, v4.0.1, and all prior releases; patched versions v4.1.1 and v4.0.2 are available. No public exploit code and no active exploitation have been identified at time of analysis, and the low CVSS score of 3.1 reflects constrained real-world impact.
Technical ContextAI
Mender Server is an open-source IoT device management platform by Northern.tech used to orchestrate over-the-air (OTA) firmware updates for embedded Linux devices. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal'), indicating that user-supplied input is insufficiently sanitized before being used in file system operations, allowing sequences such as '../' to escape the intended directory context. The CVSS vector (AV:N/AC:H/PR:L) indicates exploitation occurs over the network but requires both an existing low-privileged authenticated session and elevated attack complexity, suggesting the traversal is not straightforwardly triggered. The vendor blog post references this CVE alongside CVE-2026-33552, which addresses access control issues in the same release, implying a broader input-sanitization and authorization hardening effort. The CPE string provided (cpe:2.3:a:n/a:n/a) is a placeholder and does not add product-specific detail.
RemediationAI
The primary fix is to upgrade Mender Server to version 4.1.1 (if running the 4.1.x branch) or version 4.0.2 (if running the 4.0.x branch), as confirmed by the CVE description and vendor blog post at https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server. If immediate upgrade is not feasible, restrict API access to Mender Server to only explicitly trusted, least-privilege authenticated accounts, reducing the pool of principals who could attempt traversal. Additionally, deploy network-layer controls (reverse proxy, WAF rule) to block path segments containing traversal sequences ('../', '%2e%2e', etc.) in HTTP request paths targeting the Mender Server API - note that WAF rules may produce false positives if legitimate paths contain encoded characters and should be tested before production deployment. Monitor authenticated user activity logs for anomalous file path patterns. Upgrading is the only confirmed remediation; compensating controls reduce exposure but do not eliminate the underlying unsanitized path handling.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today