Cyber Resilience

CVE-2026-33242

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 7.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33242 is a high-severity Path Traversal (CWE-22) vulnerability in Salvo Salvo. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33242 is a Path Traversal and Access Control Bypass vulnerability (CWE-22) affecting the salvo-proxy component in the Salvo Rust web framework. Versions 0.39.0 through 0.89.2 are vulnerable due to a flaw in the encode_url_path function, which fails to normalize "../" sequences and forwards them verbatim to the upstream server by not re-encoding the "." character. This allows attackers to bypass intended proxy routing constraints. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.

An unauthenticated external attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting requests with path traversal sequences like "../", the attacker bypasses proxy restrictions to access unintended backend paths, such as protected endpoints or administrative dashboards hosted on upstream servers.

Mitigation is available in Salvo version 0.89.3, which patches the encode_url_path function. Security practitioners should upgrade to this version immediately. Official advisories and resources include the GitHub security advisory (GHSA-f842-phm9-p4v4), the release notes for v0.89.3, and the specific commit fixing the issue.

EU & UK References

Vulnerability details

Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths…

more

(e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character. Version 0.89.3 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal + access control bypass in public-facing Salvo proxy directly enables T1190 (Exploit Public-Facing Application) by allowing unauthenticated network attackers to reach protected upstream endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22257Same product: Salvo Salvo
CVE-2026-33241Same product: Salvo Salvo
CVE-2026-22256Same product: Salvo Salvo
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22

Affected Assets

salvo
salvo
0.39.0 — 0.89.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring validation and normalization of URL path inputs to reject or sanitize '../' sequences before forwarding to backend servers.

prevent

Requires timely remediation of the specific flaw in the encode_url_path function by patching Salvo to version 0.89.3 or later.

prevent

Enforces approved information flows through the proxy, preventing bypass of routing constraints to access unintended backend paths like administrative dashboards.

References