CVE-2026-40027
Published: 08 April 2026
Summary
CVE-2026-40027 is a high-severity Path Traversal (CWE-22) vulnerability in Mobasi (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-40027 by requiring timely patching of the path traversal flaw in ALEAPP via the available GitHub commit.
Requires validation of attacker-controlled file_name_from inputs from databases to block path traversal payloads like '../../../outside_written.bin'.
Enforces least privilege for ALEAPP processes, limiting damage from arbitrary file writes by preventing overwrites of sensitive executables or configurations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in ALEAPP client app allows arbitrary file writes via malicious database input, directly enabling client-side exploitation for code execution (T1203) after user processes the file (T1204.002).
NVD Description
ALEAPP (Android Logs Events And Protobuf Parser) through 3.4.0 contains a path traversal vulnerability in the NQ_Vault.py artifact parser that uses attacker-controlled file_name_from values from a database directly as the output filename, allowing arbitrary file writes outside the report output…
more
directory. An attacker can embed a path traversal payload such as ../../../outside_written.bin in the database to write files to arbitrary locations, potentially achieving code execution by overwriting executable files or configuration.
Deeper analysisAI
CVE-2026-40027, published on 2026-04-08, is a path traversal vulnerability (CWE-22) in ALEAPP (Android Logs Events And Protobuf Parser) versions through 3.4.0. The flaw exists in the NQ_Vault.py artifact parser, which directly uses attacker-controlled "file_name_from" values from a database as the output filename. This enables arbitrary file writes outside the report output directory.
The vulnerability has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L). A local attacker with no privileges can exploit it by embedding a path traversal payload, such as "../../../outside_written.bin", into a database file. This requires user interaction, such as tricking a security practitioner into processing the malicious database with ALEAPP. Successful exploitation allows arbitrary file writes, potentially achieving code execution by overwriting executable files or configurations.
Patches addressing the issue are available in ALEAPP's GitHub repository via commit 0cafd8fe0027663420eb3d0fa821b2d1a713880d and pull request #669. Further details on the vulnerability and mitigation are provided in advisories from VulnCheck (vulncheck.com/advisories/aleapp-nq-vault-artifact-parser-path-traversal) and Mobasi (mobasi.ai/sentinel).
Details
- CWE(s)