Skip to content
Threat Feed
high advisory

CVE-2026-16209: Missing Authentication in Gerapy Project Upload Endpoint

A vulnerability (CVE-2026-16209) in Gerapy versions up to 0.9.13 allows remote unauthenticated access to the Project Upload Endpoint due to missing authentication, enabling attackers to manipulate files and potentially leading to data compromise, with public exploit details available.

A high-severity vulnerability, identified as CVE-2026-16209, has been discovered in Gerapy, an open-source distributed crawling framework, affecting all versions up to 0.9.13. The flaw resides in an unknown function within the gerapy/server/core/views.py file, specifically impacting the Project Upload Endpoint. This critical vulnerability is due to missing authentication, allowing an unauthenticated remote attacker to perform unauthorized file manipulation. Public exploit details for this vulnerability have been disclosed, increasing the urgency for remediation. Organizations using affected Gerapy versions are at risk of data compromise, unauthorized code execution, or service disruption through this unauthenticated access. A patch associated with commit bd4891c60315f17611a3b7a651ffe0fba7cfe71e is available to address this issue.

Attack Chain

  1. Reconnaissance: An attacker identifies a publicly accessible Gerapy instance running a vulnerable version (up to 0.9.13).
  2. Vulnerability Identification: The attacker leverages public exploit details for CVE-2026-16209, understanding the lack of authentication in the Project Upload Endpoint.
  3. Initial Access: The attacker sends an unauthenticated HTTP POST request directly to the vulnerable gerapy/server/core/views.py Project Upload Endpoint.
  4. Authentication Bypass: Due to the missing authentication check, the Gerapy server processes the attacker's request without requiring any valid credentials or session tokens.
  5. Unauthorized File Manipulation: The attacker performs unauthorized actions, such as uploading malicious files, overwriting existing project files, or altering configuration data through the endpoint.
  6. Impact on Data and System Integrity: This leads to unauthorized file modification, data compromise, or potentially remote code execution if the uploaded files are executable or contain web shell content.
  7. Persistence/Further Compromise: Depending on the attacker's objectives and the system's configuration, successful exploitation could lead to persistence within the Gerapy environment or further lateral movement within the network.

Impact

Successful exploitation of CVE-2026-16209 can result in significant compromise of data confidentiality, integrity, and availability within affected Gerapy environments. Since the vulnerability allows unauthenticated file manipulation via the Project Upload Endpoint, attackers can upload malicious scripts, web shells, or overwrite legitimate project files. This could lead to unauthorized code execution on the server, complete takeover of the Gerapy instance, exfiltration of sensitive crawling data, or disruption of crawling operations. While specific victim numbers are not disclosed, the public availability of exploit details increases the likelihood of widespread exploitation against unpatched Gerapy installations.

Recommendation

  • Patch CVE-2026-16209 immediately by applying the provided patch from the GitHub commit bd4891c60315f17611a3b7a651ffe0fba7cfe71e or upgrading to a version higher than 0.9.13.
  • Block network access to the Gerapy server's Project Upload Endpoint (/gerapy/server/core/views.py) from untrusted networks if external access is not strictly required.
  • Monitor web server logs for the affected Gerapy instance for suspicious unauthenticated POST requests targeting /gerapy/server/core/views.py using your SIEM's logging capabilities.

Indicators of compromise

2

url

TypeValue
urlhttps://github.com/Gerapy/Gerapy/commit/bd4891c60315f17611a3b7a651ffe0fba7cfe71e
urlhttps://vuldb.com/cve/CVE-2026-16209