Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.
Published: 2026-04-10
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write and directory read via unauthenticated access to /sync endpoints
Action: Apply Patch
AI Analysis

Impact

The flaw is a path‑traversal vulnerability in Saltcorn’s synchronization API. An unauthenticated attacker can send a crafted POST request to the /sync/offline_changes endpoint and create any directory, then write a changes.json file containing attacker‑controlled JSON to an arbitrary location on the server’s filesystem. A separate GET request to /sync/upload_finished allows the attacker to enumerate arbitrary directory contents and read any JSON file. This combination permits unauthorized disclosure of configuration, data, and code, and can lead to overwriting critical files, data loss, or persistence of malicious code.

Affected Systems

The issue affects releases of the Saltcorn no‑code database builder before version 1.4.5, 1.5.5, and 1.6.0‑beta.4. The product is distributed by the Saltcorn project under the vendor name saltcorn.

Risk and Exploitability

The CVSS score of 8.2 denotes high severity, and the vulnerability is exploitable by any network user without authentication, making the attack vector network‑based. While the EPSS score is reported as less than 1 %, the ease of execution via simple HTTP calls and the lack of authentication requirements means the practical risk is still significant. The vulnerability is not currently listed in CISA’s KEV catalog, but the combination of high severity and unauthenticated access mandates prompt remediation.

Generated by OpenCVE AI on April 15, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saltcorn to the patched releases 1.4.5, 1.5.5, or 1.6.0‑beta.4.
  • If upgrading cannot be performed immediately, block or restrict access to the /sync/offline_changes and /sync/upload_finished endpoints in the firewall or enforce HTTP authentication to prevent unauthenticated usage.
  • Re‑configure the filesystem permissions for the directories used by the sync endpoints so that the web server process cannot write outside the intended application data area.

Generated by OpenCVE AI on April 15, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-32pv-mpqg-h292 Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read
History

Mon, 27 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:node.js:*:*		 cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:*:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:*:*:*

Mon, 27 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:node.js:*:*

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Saltcorn
Saltcorn saltcorn
Vendors & Products Saltcorn
Saltcorn saltcorn

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.
Title Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Saltcorn Saltcorn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:50:01.616Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40163

cve-icon Vulnrichment

Updated: 2026-04-15T14:49:42.801Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:46.233

Modified: 2026-04-27T13:36:14.653

Link: CVE-2026-40163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses