CVE-2026-40163
Published: 10 April 2026
Summary
CVE-2026-40163 is a high-severity Path Traversal (CWE-22) vulnerability in Saltcorn Saltcorn. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates user-supplied path inputs to the /sync/offline_changes and /sync/upload_finished endpoints, preventing path traversal that enables arbitrary directory creation, file writes, and reads.
Enforces access control policies to block unauthenticated filesystem modifications and directory traversals via the vulnerable endpoints.
Restricts dangerous actions like arbitrary file writes and directory listings to only explicitly permitted unauthenticated operations, excluding these vulnerable endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in public-facing web application enables T1190 (Exploit Public-Facing Application). Allows arbitrary directory listing and file reads, mapping to T1083 (File and Directory Discovery).
NVD Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the…
more
server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.
Deeper analysisAI
CVE-2026-40163 is a path traversal vulnerability (CWE-22) affecting Saltcorn, an extensible open-source no-code database application builder. In versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint enables unauthenticated attackers to create arbitrary directories and write attacker-controlled changes.json files anywhere on the server filesystem. Additionally, the GET /sync/upload_finished endpoint allows unauthenticated attackers to list contents of arbitrary directories and read specific JSON files. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) and was published on 2026-04-10.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted requests to the affected endpoints, attackers can achieve arbitrary directory creation and manipulation, write malicious JSON content to changes.json files in chosen locations, enumerate directory structures, and extract sensitive data from targeted JSON files, potentially leading to information disclosure and filesystem integrity compromise.
The Saltcorn GitHub security advisory (GHSA-32pv-mpqg-h292) confirms the issue and states that it is fixed in Saltcorn versions 1.4.5, 1.5.5, and 1.6.0-beta.4. Security practitioners should upgrade to one of these patched releases to mitigate the vulnerability.
Details
- CWE(s)