CVE-2026-45230: Unauthenticated Path Traversal in DumbAssets Lets

Executive Summary

A critical path traversal vulnerability, tracked as CVE-2026-45230 and carrying a CVSS score of 9.1, has been disclosed in DumbAssets versions through 1.0.11. The flaw resides in the POST /api/delete-file endpoint and its filesToDelete array parameters. An unauthenticated attacker can supply ../ sequences to bypass directory boundary validation and delete arbitrary files on the server, including application configuration files, database files, or system binaries. The vulnerability is especially dangerous because authentication is optional and disabled by default, meaning most public-facing instances are exposed without any access control. A pull request addressing the issue has been merged on GitHub, but no official release containing the fix has been published as of this writing.

Technical Analysis

The vulnerability exists in the file deletion logic of DumbAssets, an open-source asset management tool. The POST /api/delete-file endpoint accepts a filesToDelete parameter, which is an array of file paths. The application attempts to validate that these paths remain within the intended asset directory, but the check is insufficient. According to the NVD entry and the associated GitHub pull request (#136), an attacker can inject path traversal sequences such as ../../../etc/passwd or ../../../var/www/html/config.php to escape the restricted directory.

The validation failure is rooted in how the application processes the filesToDelete array. Instead of canonicalizing the paths and verifying they reside under the allowed base directory, the code performs a simple substring or prefix match that can be bypassed with encoded or nested traversal sequences. The endpoint does not require authentication by default — the authentication control is optional and disabled out of the box, per the project's configuration. This means any unauthenticated user who can reach the web interface can exploit the flaw.

An attacker leveraging CVE-2026-45230 could delete critical files such as:

• Application configuration files (e.g., config.php, .env) leading to service disruption or further exploitation.
• Database files (e.g., SQLite databases) causing data loss.
• System binaries or libraries, potentially rendering the server inoperable.
• Web root files, defacing or taking down the application.

The CVSS 9.1 score reflects the low attack complexity, no privileges required, no user interaction, and high impact on integrity and availability. The attack vector is network-based, and the scope is unchanged — the attacker cannot pivot to other systems directly via this flaw, but the local impact is severe.

Mitigations & Recommendations

Until an official patched release is published, defenders should take the following steps:

1. Enable authentication immediately. The optional authentication control, though disabled by default, can be turned on via configuration. This adds a basic access control layer that blocks unauthenticated exploitation. Review the DumbAssets configuration documentation for the relevant setting.

2. Restrict network access. If DumbAssets does not need to be exposed to the internet, place it behind a firewall or VPN. For internal deployments, limit access to trusted IP ranges.

3. Apply the patch manually. The fix has been merged into the project's main branch in pull request #136. Administrators comfortable with manual patching can apply the changes from that PR to their local installation. The patch introduces proper path canonicalization and validation before file deletion.

4. Monitor for exploitation. Check server logs for unusual patterns in requests to /api/delete-file with multiple ../ sequences or unexpected file paths. Deletion of configuration or database files outside the expected asset directory is a strong indicator of compromise.

5. Back up critical data. Ensure regular backups of application data and configuration are stored off-server, so recovery is possible if an attacker deletes files.