Description
An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).
Published: 2026-06-09
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unrestricted file rename in the /api/create-user endpoint of bookcars v8.3. An attacker who is already authenticated can supply directory traversal sequences in the file path to move files from temporary storage to any location on the server. The attacker may read sensitive files, overwrite critical application files, or execute code. The flaw originates from insufficient input validation of file names, effectively allowing arbitrary file manipulation.

Affected Systems

The affected software is bookcars version 8.3. No vendor or additional product information is provided. The flaw is present in the /api/create-user component, and any deployed instance running this version is vulnerable.

Risk and Exploitability

The vulnerability provides remote code execution once triggered. Although the EPSS score is not available and the KEV catalog lists this CVE as not listed, the presence of an authentication requirement combined with directory traversal indicates a potentially high exploitation risk, especially for systems exposing guest or administrative APIs. Attackers would need valid credentials to reach /api/create-user, but once authenticated they could elevate privileges by moving files to executable or configuration locations.

Generated by OpenCVE AI on June 9, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch that fixes the file rename handling in bookcars v8.3.
  • If a patch is not yet available, restrict the /api/create-user endpoint to only allow file renames within the intended temporary directory and reject any path containing "..".
  • Employ directory and file permission controls so that the application only has write access to the designated temporary folder, preventing arbitrary writes to critical files.
  • Monitor server logs for unusual file operations and set up alerts for attempted writes to protected paths to detect exploitation attempts.

Generated by OpenCVE AI on June 9, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Bookcars
Bookcars bookcars
Vendors & Products Bookcars
Bookcars bookcars

Tue, 09 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unrestricted File Rename Enables Directory Traversal and Remote Code Execution in bookcars
Weaknesses CWE-22

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).
References

Subscriptions

Bookcars Bookcars
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T18:13:14.956Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36723

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-09T19:17:42.743

Modified: 2026-06-09T19:35:05.693

Link: CVE-2026-36723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:23:26Z

Weaknesses