Skip to main content

Mender Server CVE-2026-49009

LOW
Path Traversal (CWE-22)
2026-05-27 mitre
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 14:24 vuln.today
CVSS changed
May 28, 2026 - 14:22 NVD
3.1 (LOW)
CVE Published
May 27, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal.

AnalysisAI

Directory traversal in Northern.tech Mender Server allows a remote authenticated attacker to read files outside intended directory boundaries, resulting in limited confidentiality exposure. Affected versions include v4.1.0, v4.0.1, and all prior releases; patched versions v4.1.1 and v4.0.2 are available. No public exploit code and no active exploitation have been identified at time of analysis, and the low CVSS score of 3.1 reflects constrained real-world impact.

Technical ContextAI

Mender Server is an open-source IoT device management platform by Northern.tech used to orchestrate over-the-air (OTA) firmware updates for embedded Linux devices. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal'), indicating that user-supplied input is insufficiently sanitized before being used in file system operations, allowing sequences such as '../' to escape the intended directory context. The CVSS vector (AV:N/AC:H/PR:L) indicates exploitation occurs over the network but requires both an existing low-privileged authenticated session and elevated attack complexity, suggesting the traversal is not straightforwardly triggered. The vendor blog post references this CVE alongside CVE-2026-33552, which addresses access control issues in the same release, implying a broader input-sanitization and authorization hardening effort. The CPE string provided (cpe:2.3:a:n/a:n/a) is a placeholder and does not add product-specific detail.

RemediationAI

The primary fix is to upgrade Mender Server to version 4.1.1 (if running the 4.1.x branch) or version 4.0.2 (if running the 4.0.x branch), as confirmed by the CVE description and vendor blog post at https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server. If immediate upgrade is not feasible, restrict API access to Mender Server to only explicitly trusted, least-privilege authenticated accounts, reducing the pool of principals who could attempt traversal. Additionally, deploy network-layer controls (reverse proxy, WAF rule) to block path segments containing traversal sequences ('../', '%2e%2e', etc.) in HTTP request paths targeting the Mender Server API - note that WAF rules may produce false positives if legitimate paths contain encoded characters and should be tested before production deployment. Monitor authenticated user activity logs for anomalous file path patterns. Upgrading is the only confirmed remediation; compensating controls reduce exposure but do not eliminate the underlying unsanitized path handling.

Share

CVE-2026-49009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy