Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the host filesystem, bypassing the application's intended storage sandbox.
AnalysisAI
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary files to the filesystem by bypassing path sanitization in the storage sandbox. An attacker with administrative privileges can exploit insufficient input validation to create or overwrite files anywhere on the host system. EPSS score of 0.03% indicates minimal real-world exploitation probability despite the moderate CVSS 5.9 score, suggesting the vulnerability requires both authenticated access and administrative privileges that significantly limit practical attack surface.
Technical ContextAI
Casdoor is an open-source identity and access management platform that provides pluggable storage backends, including a Local File System provider for file operations. The vulnerability exists in the Local File System storage module's path handling logic, where user-supplied file paths are not properly sanitized before filesystem operations. This allows classic path traversal techniques (e.g., '../../../') to escape the intended storage directory sandbox. The root cause is insufficient validation against directory traversal sequences in file write operations, classified under path traversal weaknesses. Casdoor versions through 2.328.0 are affected, indicating this is a historical vulnerability in the core storage abstraction layer.
RemediationAI
Upgrade Casdoor to a version newer than 2.328.0 to obtain the path sanitization fix; exact patched version not specified in available references. As an interim workaround, disable the Local File System storage provider and use alternative storage backends (e.g., S3, MinIO, or cloud storage) that are less susceptible to local path traversal, though this changes the storage architecture. Additionally, restrict Local File System storage configuration to users with strict administrative vetting, and apply OS-level filesystem permissions to limit the Casdoor process's write scope to a narrow directory with read-only parent paths to constrain traversal impact. Verify the fix in release notes at https://github.com/casdoor/casdoor/releases once patched versions are released, and test path traversal payloads in staging before production deployment.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by s
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29080
GHSA-rmxx-v9rj-vpvg