CVE-2022-50890
Published: 13 January 2026
Summary
CVE-2022-50890 is a high-severity Path Traversal (CWE-22) vulnerability in Skyjos Owlfiles. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-50890 is a path traversal vulnerability (CWE-22) in Owlfiles File Manager version 12.0.1. The flaw affects the application's built-in HTTP server, enabling attackers to access restricted system directories on the device through specially crafted requests. Published on 2026-01-13, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
Remote attackers can exploit the vulnerability without authentication, privileges, or user interaction by sending GET requests containing directory traversal sequences, such as ../ patterns. Successful exploitation allows reading contents of system directories, potentially exposing sensitive files on the targeted device.
Advisories and mitigation guidance are detailed in resources including the VulnCheck advisory at https://www.vulncheck.com/advisories/owlfiles-file-manager-path-traversal, while a proof-of-concept exploit is publicly available on Exploit-DB at https://www.exploit-db.com/exploits/51036. Additional context appears on the Owlfiles App Store page (https://apps.apple.com/us/app/owlfiles-file-manager/id510282524) and https://www.skyjos.com/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2649
Vulnerability details
Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on…
more
the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing HTTP server directly enables remote file/directory access (T1190 exploitation + T1005/T1083 data discovery).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of inputs to the HTTP server, directly preventing directory traversal sequences like ../ from accessing restricted system directories.
AC-3 enforces access controls on files and directories, ensuring that even malformed path requests cannot read contents from unauthorized system areas.
SC-7 implements boundary protection at the HTTP server interface, filtering or blocking crafted GET requests containing path traversal patterns before they reach the application.