{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dalfox/v2--2.12.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox/v2 (\u003c= 2.12.0)"],"_cs_severities":["critical"],"_cs_tags":["rce","dalfox","cve-2026-45087"],"_cs_type":"advisory","_cs_vendors":["Hahwul"],"content_html":"\u003cp\u003eDalfox, a security auditing tool, is vulnerable to unauthenticated remote code execution (CVE-2026-45087) when running in REST API server mode (\u003ccode\u003edalfox server\u003c/code\u003e) with default settings. The server binds to \u003ccode\u003e0.0.0.0:6664\u003c/code\u003e and, unless explicitly configured with \u003ccode\u003e--api-key\u003c/code\u003e, does not require authentication. A flaw exists in how the server handles \u003ccode\u003emodel.Options\u003c/code\u003e, specifically \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e, which are deserialized directly from attacker-supplied JSON in \u003ccode\u003ePOST /scan\u003c/code\u003e. Because \u003ccode\u003edalfox.Initialize\u003c/code\u003e propagates these fields into the final scan options without sanitization, any unauthenticated attacker can execute arbitrary shell commands on the host OS whenever a scan finding is triggered. This vulnerability affects dalfox versions 2.12.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker starts a \u003ccode\u003edalfox server\u003c/code\u003e instance in REST API mode without specifying an API key, leaving it open to unauthenticated access.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious web server that reflects input, ensuring any scan against it will produce a finding.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the dalfox server.\u003c/li\u003e\n\u003cli\u003eThe request includes a JSON payload containing the URL of the malicious web server and \u003ccode\u003eoptions\u003c/code\u003e with malicious values for \u003ccode\u003efound-action\u003c/code\u003e and \u003ccode\u003efound-action-shell\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostScanHandler\u003c/code\u003e deserializes the JSON payload into a \u003ccode\u003eReq\u003c/code\u003e struct, including the \u003ccode\u003eoptions\u003c/code\u003e field which contains the malicious \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eScanFromAPI\u003c/code\u003e function is called, passing the attacker-controlled options to \u003ccode\u003edalfox.Initialize\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edalfox.Initialize\u003c/code\u003e copies the attacker-supplied \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e values into the scan options without sanitization.\u003c/li\u003e\n\u003cli\u003eWhen a finding is triggered during the scan, the \u003ccode\u003efoundAction\u003c/code\u003e function executes the attacker-supplied shell command using \u003ccode\u003eexec.Command\u003c/code\u003e, achieving remote code execution on the dalfox host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in unauthenticated remote code execution on the host running \u003ccode\u003edalfox server\u003c/code\u003e. This grants the attacker full read access to secrets, configuration files, and credentials accessible to the dalfox process. The attacker can perform arbitrary file writes, enabling persistence, backdoor installation, and data exfiltration. The default \u003ccode\u003e0.0.0.0\u003c/code\u003e bind address exposes the server to all network interfaces, potentially including public-facing ones in misconfigured environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRequire API key:\u003c/strong\u003e Enforce the use of \u003ccode\u003e--api-key\u003c/code\u003e in REST server mode by rejecting server startup if no API key is provided, as described in the remediation suggestion within the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStrip \u003ccode\u003eFoundAction\u003c/code\u003e / \u003ccode\u003eFoundActionShell\u003c/code\u003e:\u003c/strong\u003e Sanitize API-sourced requests by removing the \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e options in the \u003ccode\u003epostScanHandler\u003c/code\u003e to prevent untrusted callers from setting execution-control options.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules:\u003c/strong\u003e Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade Dalfox:\u003c/strong\u003e Upgrade to a patched version of Dalfox that addresses CVE-2026-45087.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:10:12Z","date_published":"2026-05-12T15:10:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/","summary":"Dalfox in REST API server mode is vulnerable to unauthenticated remote code execution (CVE-2026-45087) because the server binds to 0.0.0.0:6664 by default without requiring an API key and deserializes attacker-supplied JSON in `POST /scan` without stripping the `FoundAction` and `FoundActionShell` fields, allowing arbitrary command execution.","title":"Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Dalfox/V2 (\u003c= 2.12.0)","version":"https://jsonfeed.org/version/1.1"}