← Back
CVE-2026-38360
critical
CVSS 9.8
Path Traversal in path-traversal (CVE-2026-38360)
Summary
path traversal in path-traversal (CVE-2026-38360). Successful exploitation can lead to full system takeover.
AI summary openai / gpt-4o
There is a significant security risk in fohrloop's "dash-uploader" tool. Attackers could gain unauthorized access to sensitive files and install malicious code through the /Api/dash-uploader endpoint without authentication. Versions from 0.1.0 to 0.7.0a2 are affected. Since there's no fix, transitioning to secure systems like Plotly Dash's dcc.Upload is recommended.
CVE-2026-38360 is an unauthenticated path traversal vulnerability in fohrloop's dash-uploader, exploitable via GET requests. Specifically, in dash_uploader/httprequesthandler.py, request parameters like upload_id, resumableFilename, and resumableIdentifier are improperly sanitized before being passed to os.path.join and os.makedirs, allowing directory traversal. Versions affected are from v0.1.0 to v0.7.0a2, and there is no patch available. It is recommended to stop using it and transition to dcc.Upload component.
❓ What is the problem
Directory Traversal vulnerability in fohrloop's dash-uploader
📍 Affected scope
GET /Api/dash-uploader endpoint, dash_uploader/httprequesthandler.py file
🔥 Severity
Critical; allows unauthenticated remote code execution
🔧 How to fix
Migrate to Plotly Dash's dcc.Upload component
🛡️ Workaround
No patch available; recommended to migrate components
🔍 Detection
Check system logs for unauthorized file access patterns in dash-uploader endpoints
Related past incidents Similar incidents extracted from past CVEs
DoS vulnerability in the same dash-uploader library, indicating potential for further exploits within the same ecosystem.
If this happens at your company Expected impact per business scenario
📌 ECサイトのシステムにdash-uploaderが組み込まれている場合
攻撃者がシステムに不正なコードを注入し、顧客データが漏えいする可能性があります。
📌 社内のファイル共有サーバーにdash-uploaderが使用されている場合
社内業務のデータが削除されたり、不正にアクセスされるリスクが高まります。
📌 公的機関のデジタルインフラにdash-uploaderが導入されている場合
機密文書や機関データに不正アクセスが可能になり、社会的混乱が引き起こされる可能性があります。
Recommended action
直ちにdash-uploaderの使用を中止し、Plotly Dashのddc.Uploadコンポーネントへの移行を検討することを強く推奨します。
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'path-traversal' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `path-traversal` を grep し、稼働しているサービス・バージョンを把握する。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
References
- web https://github.com/a1ohadance/CVE-2026-38360
- web https://github.com/fohrloop/dash-uploader
- web https://github.com/fohrloop/dash-uploader/blob/dev/dash_uploader/httprequesthandler.py
- web https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py
- web https://github.com/fohrloop/dash-uploader/issues/153
- web [email protected]
- web https://nvd.nist.gov/vuln/detail/CVE-2026-38360
- web https://pypi.org/project/dash-uploader
- web https://github.com/advisories/GHSA-3rf6-x59v-5jfv