Description
An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).
Published: 2026-06-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unrestricted file rename in the /api/create-user endpoint of bookcars v8.3. An attacker who is already authenticated can supply directory traversal sequences in the file path to move files from temporary storage to any location on the server. The attacker may read sensitive files, overwrite critical application files, or execute code. The flaw originates from insufficient input validation of file names, effectively allowing arbitrary file manipulation.

Affected Systems

The affected software is bookcars version 8.3. No vendor or additional product information is provided. The flaw is present in the /api/create-user component, and any deployed instance running this version is vulnerable.

Risk and Exploitability

The vulnerability provides remote code execution once triggered. The EPSS score of < 1% indicates a low but non‑zero exploitation likelihood, and the CVE is not listed in the CISA KEV catalog. The presence of an authentication requirement combined with directory traversal indicates a potentially high exploitation risk, especially for systems exposing guest or administrative APIs. Attackers would need valid credentials to reach /api/create-user, but once authenticated they could elevate privileges by moving files to executable or configuration locations. The CVSS score is 8.8, indicating high severity.

Generated by OpenCVE AI on June 10, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch that fixes the file rename handling in bookcars v8.3.
  • If a patch is not yet available, restrict the /api/create-user endpoint to only allow file renames within the intended temporary directory and reject any path containing "..".
  • Employ directory and file permission controls so that the application only has write access to the designated temporary folder, preventing arbitrary writes to critical files.
  • Monitor server logs for unusual file operations and set up alerts for attempted writes to protected paths to detect exploitation attempts.

Generated by OpenCVE AI on June 10, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unrestricted File Rename Enables Directory Traversal and Remote Code Execution in bookcars

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Bookcars
Bookcars bookcars
Vendors & Products Bookcars
Bookcars bookcars

Tue, 09 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unrestricted File Rename Enables Directory Traversal and Remote Code Execution in bookcars
Weaknesses CWE-22

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).
References

Subscriptions

Bookcars Bookcars
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-10T17:28:08.932Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36723

cve-icon Vulnrichment

Updated: 2026-06-10T17:24:40.661Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T19:17:42.743

Modified: 2026-06-10T18:16:44.047

Link: CVE-2026-36723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:00:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')