Skip to main content

Echo Framework EUVDEUVD-2026-39800

| CVE-2026-55677 HIGH
Path Traversal (CWE-22)
2026-06-26 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Remote unauthenticated request with an encoded slash needs no privileges or interaction (AV:N/AC:L/PR:N/UI:N); impact is unauthorized file reads only, so C:H but I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 18:02 EUVD
Analysis Generated
Jun 26, 2026 - 17:23 vuln.today

DescriptionCVE.org

Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization. This vulnerability is fixed in 4.15.3 and 5.2.0.

AnalysisAI

Path-based access control bypass in the LabStack Echo Go web framework (versions prior to 4.15.3 and 5.2.0) lets remote attackers retrieve protected static files without authorization. The flaw stems from the router matching routes on the raw encoded path (keeping %2F literal) while StaticDirectoryHandler decodes %2F to '/' before filesystem resolution, so a crafted URL slips past route-level guards. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Echo app serving static files
Delivery
Craft URL with %2F encoded slash
Exploit
Router skips access-control middleware
Execution
Static handler decodes path and resolves file
Impact
Read unauthorized static file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Echo application (1) serves files using StaticDirectoryHandler and (2) enforces access controls via route-level middleware on those static paths - this is the exact precondition implied by the advisory's router/handler decoding mismatch. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and internally consistent: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N yields 7.5 (High) with network reach, low complexity, no privileges and no user interaction, but impact is confined to confidentiality (C:H, I:N, A:N) - no integrity or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An Echo application protects a directory of sensitive static files (e.g., /private/) with route middleware while serving them via StaticDirectoryHandler. An unauthenticated attacker requests a URL using %2F in place of the slash so the router's access-control route fails to match, but the static handler decodes it and returns the protected file. …
Remediation Vendor-released patch: upgrade to Echo 4.15.3 on the 4.x branch or 5.2.0 on the 5.x branch, which align path decoding between the router and StaticDirectoryHandler; see the advisory at https://github.com/labstack/echo/security/advisories/GHSA-vfp3-v2gw-7wfq. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all applications using LabStack Echo framework (versions 4.x and 5.x) and identify those serving protected static files; consult application teams on deployment status and assets at risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy