How is CVE-2026-36723 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the bookcars service via HTTP/HTTPS. Authentication (required): A valid account is required, but any low-privilege user account is sufficient to trigger the vulnerability. Victim interaction (not-required): The attacker does not need to trick or involve any other user; the attack is carried out entirely by the attacker alone. Attack complexity (info): Exploitation is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.

What is the impact of CVE-2026-36723?

Reads arbitrary files from the server filesystem, including credentials, configuration files, and stored session data. Overwrites critical application files such as configuration, code, or startup scripts, altering application behavior. Achieves remote code execution by placing attacker-controlled files in executable locations on the server. Combines file read and write primitives to pivot further into the host environment or connected services.

Back to search

HIGHCVE-2026-36723Published 2026-06-09Modified 2026-06-10CNA mitre

CVE-2026-36723: An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8

An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unrestricted file rename vulnerability in the /api/create-user endpoint of bookcars v8.3 allows an authenticated attacker to move arbitrary files from temporary storage to any location on the server filesystem using directory traversal sequences. The attack is reachable over the network and requires only a low-privilege account; no victim interaction is needed. Successful exploitation enables reading sensitive files, overwriting critical application files, and achieving remote code execution. HarborGuard tracks the upstream advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection of CVE-2026-36723 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from bookcars v8.3 base layers.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (High) and weighting it against each customer environment's compliance policy to surface urgency accurately. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the bookcars service via HTTP/HTTPS.
AuthenticationRequired
A valid account is required, but any low-privilege user account is sufficient to trigger the vulnerability.
Victim interactionNot required
The attacker does not need to trick or involve any other user; the attack is carried out entirely by the attacker alone.
Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.

Blast Radius

Reads arbitrary files from the server filesystem, including credentials, configuration files, and stored session data.
Overwrites critical application files such as configuration, code, or startup scripts, altering application behavior.
Achieves remote code execution by placing attacker-controlled files in executable locations on the server.
Combines file read and write primitives to pivot further into the host environment or connected services.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-36723 is active for any image found to include bookcars v8.3, with findings surfaced in the relevant team inbox weighted by compliance policy severity. Because no upstream patch exists as of the publication date, HarborGuard monitors the advisory continuously and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, that release will trigger a rebuild, a regression test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict access to the /api/create-user endpoint to trusted internal sources only, egress filtering to limit lateral movement from the host, and review of filesystem permissions on directories accessible from temporary storage paths.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified