Description
Unraid Update Request Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.

The specific flaw exists within the update.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28951.
Published: 2026-03-13
Score: 8.8 High
EPSS: 1.5% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Unraid systems are vulnerable to a path traversal flaw in the update.php file that allows attackers to supply a crafted file path and execute arbitrary code as root. The vulnerability is a CWE-22 type (Path Traversal). Because the application does not validate the user‑supplied path before performing file operations, a remote authenticated attacker can run any code on the host, compromising confidentiality, integrity, and availability.

Affected Systems

Affected installations belong to the Unraid operating system, specifically version 7.2.3 as identified by the CPE entry. The flaw originates from the update.php file in this release.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. EPSS of 2% suggests a relatively low probability of exploitation in the current environment, yet the vulnerability is not listed in CISA’s KEV catalog. The attack requires authentication, implying that an attacker must have valid credentials or an authenticated session on the Unraid web interface. Once authentication is achieved, the exploitation path is straightforward and yields root‑level code execution.

Generated by OpenCVE AI on March 17, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch from Unraid once it becomes available.
  • If a patch is not immediately available, disable the update.php endpoint or restrict its access to trusted users only.
  • Monitor Unraid logs and network traffic for suspicious activity related to update operations and consider changing default credentials.

Generated by OpenCVE AI on March 17, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:unraid:unraid:7.2.3:*:*:*:*:*:*:*

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Unraid
Unraid unraid
Vendors & Products Unraid
Unraid unraid

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Unraid Update Request Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within the update.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28951.
Title Unraid Update Request Path Traversal Remote Code Execution Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Unraid Unraid
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-16T20:22:01.886Z

Reserved: 2026-03-09T16:02:10.333Z

Link: CVE-2026-3838

cve-icon Vulnrichment

Updated: 2026-03-16T20:21:57.535Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:52.877

Modified: 2026-03-17T14:18:58.587

Link: CVE-2026-3838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:47Z

Weaknesses