What is CVE-2026-21857?

### Summary Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. ### Details The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Vulnerable code: - `redaxo/src/addons/backup/pages/export.php` (lines 72-76) – directly uses `$_POST['EXPDIR']` - `redaxo/src/addons/backup/lib/backup.php` (lines ~413 & ~427) – concatenates unsanitized user input with base path This allows disclosure of sensitive files such as: - `redaxo/data/core/config.yml` → database credentials + password hashes of all backend users - `.env`, custom configuration files, logs, uploaded malicious files, etc. ### Affected versions ≤ 5.20.1 (confirmed working) ### Patched versions None (as of 2025-12-09) ### PoC – Extracting database credentials and password hashes 1. Log in as any user with Backup permission 2. Go to Backup → Export → Files 3. Intercept the request with Burp Suite 4. Change one `EXPDIR[]` value to `../../../../var/www/html/redaxo/data/core` 5. Send request → download archive 6. Extract and open `data/core/config.yml` Result: plaintext database password ### Impact Full compromise of the REDAXO installation: - Database takeover - Password hash extraction → offline cracking → admin access - When combined with other vulnerabilities → RCE CVSS 4.0 vector & score below. ### Credits Discovered by: Łukasz Rybak

What is the severity of CVE-2026-21857?

CVE-2026-21857 has a CVSS v3 score of 6.5, which is classified as Medium severity.

Is there an exploit available for CVE-2026-21857?

No known public exploits are currently available for CVE-2026-21857.

Is there a patch available for CVE-2026-21857?

Yes, patches are available for CVE-2026-21857. Check the vendor advisories for update instructions.

CVE-2026-21857 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v36.5

CVSS v20.0

Priority Score321.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

6.5

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. <img width="664" height="899" alt="image" src="https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5" /> <img width="2358" height="445" alt="image" src="https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb" />

Details

The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories.
An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive.

Vulnerable code:

redaxo/src/addons/backup/pages/export.php (lines 72-76) – directly uses $_POST['EXPDIR']
redaxo/src/addons/backup/lib/backup.php (lines ~413 & ~427) – concatenates unsanitized user input with base path

This allows disclosure of sensitive files such as:

redaxo/data/core/config.yml → database credentials + password hashes of all backend users
.env, custom configuration files, logs, uploaded malicious files, etc.

Affected versions

≤ 5.20.1 (confirmed working)

Patched versions

None (as of 2025-12-09)

PoC – Extracting database credentials and password hashes

Log in as any user with Backup permission
Go to Backup → Export → Files

Intercept the request with Burp Suite

Change one EXPDIR[] value to ../../../../var/www/html/redaxo/data/core

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:High

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:Network

Patch References

Github.com Security [email protected]