Skip to content

Authenticated Path Traversal via File Rename

High
Floppy published GHSA-j5f9-r7wf-hv37 May 13, 2026

Package

docker ghcr.io/manyfold3d/manyfold (Docker)

Affected versions

>= 0.96.0, < 0.140.0

Patched versions

0.140.0
docker ghcr.io/manyfold3d/manyfold-solo (Docker)
>= 0.96.0, < 0.140.0
0.140.0
docker lscr.io/linuxserver/manyfold (Docker)
>= 0.96.0, < 0.140.0
0.140.0
docker manyfold3d/manyfold (Docker)
>= 0.96.0, < 0.140.0
0.140.0
docker manyfold3d/manyfold-solo (Docker)
>= 0.96.0, < 0.140.0
0.140.0

Description

Summary

Manyfold allows authenticated users to rename uploaded files using path traversal sequences.

The filename field is user-controlled and later used in filesystem paths without proper sanitization:

File.join(model.path, filename)

By renaming a file to:

../../outside.stl

the application writes the file outside the configured library directory.

PoC

  1. Upload a valid model file.
  2. Rename it to:
../../outside.stl
  1. Save changes.
  2. Inside the container:
find / -name outside.stl 2>/dev/null

Result:

/outside.stl

Impact

Authenticated users able to edit files can write/move files outside the intended storage directory.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CVE ID

CVE-2026-46336

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations. Learn more on MITRE.

Credits