CVE-2026-21878
Published: 13 February 2026
Summary
CVE-2026-21878 is a high-severity Path Traversal (CWE-22) vulnerability in Bacnetstack Bacnet Stack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21878 is a path traversal vulnerability (CWE-22) in the BACnet Stack, an open-source C library implementing the BACnet protocol for embedded systems. Prior to version 1.5.0.rc3, the file writing functionality lacks validation of user-provided file paths, allowing attackers to write files to arbitrary directories. The affected components are apps/readfile/main.c and ports/posix/bacfile-posix.c. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on 2026-02-13.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By supplying a specially crafted file path, they can write files to unintended directories on the target system, resulting in high integrity impact through unauthorized file modifications.
The vulnerability is fixed in BACnet Stack version 1.5.0.rc3. Mitigation involves updating to this release or later. Additional details are available in the GitHub security advisory at https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-p8rx-c26w-545j and the patching commit at https://github.com/bacnet-stack/bacnet-stack/commit/c5dc00a77b4bc2550befa67a930b333e299c18f3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6026
Vulnerability details
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.5.0.rc3, a vulnerability has been discovered in BACnet Stack's file writing functionality where there is no validation of user-provided file paths, allowing attackers to…
more
write files to arbitrary directories. This affects apps/readfile/main.c and ports/posix/bacfile-posix.c. This vulnerability is fixed in 1.5.0.rc3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated path traversal enabling arbitrary file writes on a network-exposed BACnet service directly maps to exploitation of public-facing apps and ingress of tools/files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the lack of validation on user-provided file paths in BACnet Stack's file writing functionality, preventing path traversal attacks.
Ensures timely remediation by applying the patch released in BACnet Stack version 1.5.0.rc3 to eliminate the path traversal vulnerability.
Limits the damage from successful path traversal by enforcing least privilege on the BACnet process, restricting writes to authorized directories only.