How is CVE-2026-9506 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the Bagisto service to exploit this flaw. Authentication (not-required): No account or session token is needed; the ImageCacheController endpoint accepts unauthenticated requests. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or social engineering is required. Attack complexity (info): Exploitation is straightforward and condition-free; no race condition, specific memory layout, or environmental prerequisite is needed beyond network access to the service.

What is the impact of CVE-2026-9506?

The attacker reads arbitrary files from the host filesystem by stepping outside the intended image-cache directory using traversal sequences. Sensitive files such as environment configuration files, database credentials, API keys, and private keys stored on the host are directly readable. Application source code and internal directory structure can be enumerated, providing a map for further attacks against the environment.

Back to search

HIGHCVE-2026-9506Published 2026-06-08Modified 2026-06-08CNA CERT-In

CVE-2026-9506: Path Traversal Vulnerability in Bagisto

This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system. Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability exists in the ImageCacheController component of Bagisto (version v2.4.1). The flaw is reachable over the network without any authentication, and an attacker exploits it by sending crafted filename parameters containing directory traversal sequences (for example, "../../") to step outside the intended file directory. Successful exploitation allows the attacker to read arbitrary files on the host system, including configuration files, credentials, and other sensitive data. HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix version is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-9506 is available across all HarborGuard environments: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against every customer image in connected registries and CI/CD pipelines, including internally built custom images that package Bagisto v2.4.1.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.7 (High, v4.0) and weighting it against each environment's compliance policy to produce a prioritized finding routed to the appropriate team inbox within the customer org.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Webkul ships a corrected release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as that upstream fix is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the Bagisto service to exploit this flaw.
AuthenticationNot required
No account or session token is needed; the ImageCacheController endpoint accepts unauthenticated requests.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is required.
Attack complexityDetail
Exploitation is straightforward and condition-free; no race condition, specific memory layout, or environmental prerequisite is needed beyond network access to the service.

Blast Radius

The attacker reads arbitrary files from the host filesystem by stepping outside the intended image-cache directory using traversal sequences.
Sensitive files such as environment configuration files, database credentials, API keys, and private keys stored on the host are directly readable.
Application source code and internal directory structure can be enumerated, providing a map for further attacks against the environment.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-9506 exists at this time, HarborGuard monitors the Webkul advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger automatically along with a regression-test run and a PR opened against affected workloads. In the meantime, compensating controls available through HarborGuard policy include network-policy isolation to restrict inbound access to the Bagisto service to known trusted sources, egress filtering to limit what the compromised container can reach if the traversal is chained with other techniques, and flagging images containing Bagisto v2.4.1 as non-compliant so they are blocked from promotion to production registries until a patch is available. Where compliance policy permits, customers can also configure a runtime alert rule to fire on any file-read activity outside expected container paths.

See how HarborGuard automates this

Affected packages

Webkul / Bagisto
version v2.4.1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

cert-in.org.in

Metrics

Get notified