Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.
PUBLISHED5.2CWE-22
Camaleon CMS AWS Uploader Authenticated Path Traversal Arbitrary File Read
Problem type
Affected products
owen2345
Camaleon CMS
<= 2.9.0 - AFFECTED
commit f54a77e - UNAFFECTED
References
github.com
https://github.com/owen2345/camaleon-cms/pull/1127
github.com
https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af
camaleon.website
https://camaleon.website/
vulncheck.com
https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-1776Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-1776",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-03-09T21:08:06.600Z",
"dateReserved": "2026-02-02T18:05:13.516Z",
"datePublished": "2026-03-09T21:08:06.600Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-03-09T21:08:06.600Z"
},
"title": "Camaleon CMS AWS Uploader Authenticated Path Traversal Arbitrary File Read",
"descriptions": [
{
"lang": "en",
"value": "Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend."
}
]
}
],
"affected": [
{
"vendor": "owen2345",
"product": "Camaleon CMS",
"packageName": "camaleon-cms",
"repo": "https://github.com/owen2345/camaleon-cms",
"defaultStatus": "unaffected",
"versions": [
{
"version": "2.4.5.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "2.9.0"
},
{
"version": "commit f54a77e",
"status": "unaffected",
"versionType": "custom"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/owen2345/camaleon-cms/pull/1127",
"tags": [
"issue-tracking"
]
},
{
"url": "https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af",
"tags": [
"patch"
]
},
{
"url": "https://camaleon.website/",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Loomis (investigato)",
"type": "finder"
},
{
"lang": "en",
"value": "VulnCheck",
"type": "coordinator"
}
]
}
}
}