critical advisory March 27, 2026

Path Traversal Vulnerability in API File Upload Endpoint (CVE-2026-5027)

The 'POST /api/v2/files' endpoint is vulnerable to path traversal due to improper sanitization of the 'filename' parameter, potentially allowing attackers to write files to arbitrary locations on the filesystem and achieve remote code execution.

CVE-2026-5027 exposes a critical vulnerability in the ‘POST /api/v2/files’ endpoint, where the ‘filename’ parameter within multipart form data is not properly sanitized. This flaw allows an attacker to manipulate the filename by injecting path traversal sequences such as ‘../’, leading to the ability to write files to arbitrary locations on the server’s filesystem. This vulnerability was reported by Tenable Network Security, Inc. and has a CVSS v3.1 base score of 8.8 (HIGH). Successful…

Detection coverage 2

Detect Suspicious File Upload with Path Traversal

critical

Detects potential path traversal attempts in file upload requests by checking for '../' sequences in the filename.

sigma tactics: initial_access, persistence techniques: T1189, T1547.001 sources: webserver, linux

Detect Suspicious File Creation from Web Server

high

Detects files being created in sensitive directories by the web server process, which may indicate successful path traversal exploitation.

sigma tactics: persistence, privilege_escalation techniques: T1068, T1547.001 sources: file_event, linux

Detection queries are kept inside the platform. Get full rules →