Description
Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.
Published: 2026-03-09
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read via Authenticated Path Traversal
Action: Patch Now
AI Analysis

Impact

Camaleon CMS versions 2.4.5.0 through 2.9.0 allow an authenticated attacker to read arbitrary files from the web server’s filesystem. The vulnerability resides in the AWS S3 uploader’s download_private_file method, which fails to validate file paths when the backend is set to CamaleonCmsAwsUploader. This omission lets users supply path traversal sequences that can expose sensitive files such as /etc/passwd, subverting confidentiality controls and exposing system configuration.

Affected Systems

The flaw affects deployments of Camaleon CMS from version 2.4.5.0 up to and including 2.9.0 that are configured to use the Amazon Web Services S3 storage backend. Users of earlier or later releases, or those not employing the AWS uploader, are not impacted.

Risk and Exploitability

The CVSS score of 6 indicates a medium severity, and the EPSS assessment of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated, yet any low‑privileged registered user can trigger the read operation, meaning a wide range of accounts could potentially exploit the flaw within their authorized scope.

Generated by OpenCVE AI on April 16, 2026 at 10:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit f54a77e or upgrade to a Camaleon CMS release that incorporates this change.
  • If upgrading immediately is not feasible, reconfigure the CMS to disable the CamaleonCmsAwsUploader backend and use the local uploader instead, eliminating the unvalidated path traversal path.
  • Restrict the download_private_file functionality to privileged administrators only, or add additional access controls that prevent low‑privileged users from invoking file download operations.

Generated by OpenCVE AI on April 16, 2026 at 10:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jw5g-f64p-6x78 Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Tuzitio
Tuzitio camaleon Cms
CPEs cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*
Vendors & Products Tuzitio
Tuzitio camaleon Cms

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Owen2345
Owen2345 camaleon Cms
Vendors & Products Owen2345
Owen2345 camaleon Cms

Mon, 09 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.
Title Camaleon CMS AWS Uploader Authenticated Path Traversal Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Owen2345 Camaleon Cms
Tuzitio Camaleon Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:08.805Z

Reserved: 2026-02-02T18:05:13.516Z

Link: CVE-2026-1776

cve-icon Vulnrichment

Updated: 2026-03-10T14:57:13.160Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:38:01.950

Modified: 2026-04-17T20:59:47.330

Link: CVE-2026-1776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses