CVE-2026-24469
Published: 24 January 2026
Summary
CVE-2026-24469 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-24469 is a path traversal vulnerability affecting C++ HTTP Server, an HTTP/1.1 server designed to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable through the RequestHandler::handleRequest method, where the application fails to sanitize the filename variable derived from the user-controlled URL path. This variable is directly concatenated to the files_directory base path, allowing traversal outside the intended root directory. The issue is classified under CWE-22 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An unauthenticated remote attacker can exploit this vulnerability by crafting a malicious HTTP GET request containing ../ sequences in the path. Successful exploitation enables the attacker to read arbitrary files from the server's filesystem, potentially exposing sensitive configuration files, credentials, or other data without requiring privileges or user interaction.
The GitHub security advisory at https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff details the vulnerability. No patch was available at the time of publication on 2026-01-24.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4601
Vulnerability details
C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files…
more
from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing HTTP server directly enables remote unauthenticated file read (T1190 initial exploitation + T1005 arbitrary local file access).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the failure to sanitize the user-controlled filename from the URL path by requiring validation to block traversal sequences like ../.
Enforces logical access restrictions to ensure the HTTP server only allows reads within the intended files_directory base path, preventing arbitrary file access.
Restricts HTTP request inputs to safe path formats, mitigating traversal attempts by blocking unauthorized characters or patterns derived from the URL.