Cyber Resilience

CVE-2022-50890

HighPublic PoC

Published: 13 January 2026

Published
13 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0093 56.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2022-50890 is a high-severity Path Traversal (CWE-22) vulnerability in Skyjos Owlfiles. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-50890 is a path traversal vulnerability (CWE-22) in Owlfiles File Manager version 12.0.1. The flaw affects the application's built-in HTTP server, enabling attackers to access restricted system directories on the device through specially crafted requests. Published on 2026-01-13, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

Remote attackers can exploit the vulnerability without authentication, privileges, or user interaction by sending GET requests containing directory traversal sequences, such as ../ patterns. Successful exploitation allows reading contents of system directories, potentially exposing sensitive files on the targeted device.

Advisories and mitigation guidance are detailed in resources including the VulnCheck advisory at https://www.vulncheck.com/advisories/owlfiles-file-manager-path-traversal, while a proof-of-concept exploit is publicly available on Exploit-DB at https://www.exploit-db.com/exploits/51036. Additional context appears on the Owlfiles App Store page (https://apps.apple.com/us/app/owlfiles-file-manager/id510282524) and https://www.skyjos.com/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on…

more

the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Path traversal in public-facing HTTP server directly enables remote file/directory access (T1190 exploitation + T1005/T1083 data discovery).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20615Same product: Apple Ipados
CVE-2026-20688Same product: Apple Ipados
CVE-2026-20660Same product: Apple Ipados
CVE-2025-43428Same product: Apple Ipados
CVE-2025-43347Same product: Apple Ipados
CVE-2025-43359Same product: Apple Ipados
CVE-2025-30426Same product: Apple Ipados
CVE-2025-24230Same product: Apple Ipados
CVE-2025-24173Same product: Apple Ipados
CVE-2025-24211Same product: Apple Ipados

Affected Assets

skyjos
owlfiles
12.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of inputs to the HTTP server, directly preventing directory traversal sequences like ../ from accessing restricted system directories.

prevent

AC-3 enforces access controls on files and directories, ensuring that even malformed path requests cannot read contents from unauthorized system areas.

preventdetect

SC-7 implements boundary protection at the HTTP server interface, filtering or blocking crafted GET requests containing path traversal patterns before they reach the application.

References