Skip to main content

Appium storage plugin CVE-2026-58192

| EUVDEUVD-2026-42424 HIGH
Path Traversal (CWE-22)
2026-07-08 security-advisories@github.com
8.6
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
10.0 CRITICAL

Unauthenticated network endpoint with no interaction (AV:N/AC:L/PR:N/UI:N); traversal escapes the plugin boundary (S:C) and recursive deletion destroys data, so I:H and A:H, with C:N as no data is read.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 22:04 EUVD
Analysis Generated
Jul 08, 2026 - 21:45 vuln.today

DescriptionCVE.org

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.

AnalysisAI

Unauthenticated arbitrary file/directory deletion in the Appium storage plugin (versions prior to 1.1.6) allows a remote client to recursively delete writable files outside the storage root via the POST /storage/delete endpoint. The handler feeds the user-supplied name into path.join(storageRoot, name) and fs.rimraf() without sanitization, so ../ sequences escape the intended directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Appium HTTP server
Delivery
Send POST /storage/delete with ../ name
Exploit
Traversal escapes storageRoot
Execution
fs.rimraf() recursively deletes target
Impact
Files/directories destroyed

Vulnerability AssessmentAI

Exploitation The Appium storage plugin must be installed and enabled (it is an optional plugin, not core Appium), and the Appium server's HTTP interface must be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N, base 8.6) signals a genuinely easy attack: network-reachable, no authentication, no user interaction, low complexity, with a scope change reflecting that deletion reaches files outside the plugin's security boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Appium HTTP server (for example an Appium/CI host inadvertently exposed to a shared or internet-facing network) sends a single crafted POST /storage/delete request with a name value containing ../ sequences pointing at build artifacts, config files, or other writable data. With AV:N/AC:L/PR:N/UI:N, no credentials or victim interaction are needed, and fs.rimraf() recursively wipes the targeted path. …
Remediation Vendor-released patch: upgrade @appium/storage-plugin to version 1.1.6 or later (advisory GHSA-jwgx-mp9m-jwcr; release https://github.com/appium/appium/releases/tag/@appium/storage-plugin@1.1.6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Inventory all systems running Appium storage plugin versions prior to 1.1.6; implement firewall or network segmentation rules to restrict access to the POST /storage/delete endpoint to authorized internal networks only; enable endpoint logging and alerting. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy