CVE-2026-33242
Published: 24 March 2026
Summary
CVE-2026-33242 is a high-severity Path Traversal (CWE-22) vulnerability in Salvo Salvo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by requiring validation and normalization of URL path inputs to reject or sanitize '../' sequences before forwarding to backend servers.
Requires timely remediation of the specific flaw in the encode_url_path function by patching Salvo to version 0.89.3 or later.
Enforces approved information flows through the proxy, preventing bypass of routing constraints to access unintended backend paths like administrative dashboards.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal + access control bypass in public-facing Salvo proxy directly enables T1190 (Exploit Public-Facing Application) by allowing unauthenticated network attackers to reach protected upstream endpoints.
NVD Description
Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths…
more
(e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character. Version 0.89.3 contains a patch.
Deeper analysisAI
CVE-2026-33242 is a Path Traversal and Access Control Bypass vulnerability (CWE-22) affecting the salvo-proxy component in the Salvo Rust web framework. Versions 0.39.0 through 0.89.2 are vulnerable due to a flaw in the encode_url_path function, which fails to normalize "../" sequences and forwards them verbatim to the upstream server by not re-encoding the "." character. This allows attackers to bypass intended proxy routing constraints. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.
An unauthenticated external attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting requests with path traversal sequences like "../", the attacker bypasses proxy restrictions to access unintended backend paths, such as protected endpoints or administrative dashboards hosted on upstream servers.
Mitigation is available in Salvo version 0.89.3, which patches the encode_url_path function. Security practitioners should upgrade to this version immediately. Official advisories and resources include the GitHub security advisory (GHSA-f842-phm9-p4v4), the release notes for v0.89.3, and the specific commit fixing the issue.
Details
- CWE(s)