CVE-2026-34413
Published: 22 April 2026
Summary
CVE-2026-34413 is a high-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly limits actions permitted without identification or authentication, directly preventing unauthenticated file operations on the elFinder connector endpoint.
AC-3 enforces approved access authorizations, addressing the failure to halt execution after redirecting unauthenticated callers.
SI-2 requires timely flaw remediation, directly mitigated by applying the vendor patches that fix the authentication bypass in the connector.php endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated arbitrary file operations on web-accessible project media directories directly enable exploitation of a public-facing application (T1190) and facilitate web shell deployment via malicious file uploads (T1100), with chaining to RCE.
NVD Description
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the…
more
full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.
Deeper analysisAI
Xerte Online Toolkits versions 3.15 and earlier are affected by CVE-2026-34413, a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php. The issue arises because an HTTP redirect sent to unauthenticated callers fails to invoke exit() or die(), permitting PHP execution to continue server-side and process the full request. This flaw, classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).
Unauthenticated remote attackers can exploit this vulnerability to perform arbitrary file operations on project media directories, including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files. These capabilities can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file reads.
Mitigation is addressed in patches from the Xerte Online Toolkits project, including commits 02661be88cc369325ea01b508086bde7fbfec805, 17e4f945fe6a3400fa88c01eda18c1075ee4a212, and 507d55c5e91bf9310b5b1c7fad8aebfef902ad23 available on GitHub. A proof-of-concept for remote code execution is documented at https://github.com/bootstrapbool/xerteonlinetoolkits-rce, and the issue is tracked at https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527. Security practitioners should apply these updates promptly to affected installations.
Details
- CWE(s)