CVE-2026-4233 - Vulnerability Details

- ThingsGateway download path traversal

Description

A vulnerability was identified in ThingsGateway 12. This affects an unknown part of the file /api/file/download. The manipulation of the argument fileName leads to path traversal. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-16

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A parameter manipulation flaw in the /api/file/download endpoint of ThingsGateway 12 allows attackers to craft a fileName value containing directory traversal characters. The traversal enables arbitrary file reads on the underlying host, exposing sensitive files such as configuration files, logs, and potentially credentials. The vulnerability does not provide direct code execution but leaks confidential data that could assist in more serious attacks. The flaw carries a CVSS score of 5.3, indicating moderate severity.

Affected Systems

ThingsGateway version 12 is affected. The vulnerability resides in the /api/file/download API. No version ranges or specific build details are provided beyond version 12. The vendor, ThingsGateway, has not released a patch or response, leaving systems based on this version at risk.

Risk and Exploitability

The exploit is publicly available and can be triggered by sending a malformed fileName parameter over HTTP, with no authentication mentioned. The EPSS score is under 1%, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low probability of widespread exploitation. However, the combination of remote file read capability and an available exploit code means that attackers still have a feasible attack path, especially in environments where the endpoint is publicly exposed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

ThingsGateway

affected

Version	Status	Constraints
`12`	affected	—

No data.

Vendor Product Confidence Versions

Thethingsnetwork

Thingsgateway

100%

Version	Status	Scheme	Platform
`12`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ThingsGateway to a fixed version once a patch is released by the vendor.
If upgrading is not possible, restrict access to the /api/file/download endpoint to authenticated users only.
Implement input validation or path sanitization to prevent traversal characters in fileName.
Deploy a web application firewall rule to block requests containing '..' sequences.
Monitor application logs for abnormal /api/file/download traffic and investigate any unauthorized file access attempts.

Generated by OpenCVE AI on March 22, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/SourByte05/SourByte-Lab/issues/11
https://vuldb.com/?ctiid.351156
https://vuldb.com/?id.351156
https://vuldb.com/?submit.771234

History

Mon, 30 Mar 2026 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thethingsnetwork Thethingsnetwork thingsgateway
Vendors & Products		Thethingsnetwork Thethingsnetwork thingsgateway

Mon, 16 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in ThingsGateway 12. This affects an unknown part of the file /api/file/download. The manipulation of the argument fileName leads to path traversal. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		ThingsGateway download path traversal
Weaknesses		CWE-22
References		https://github.com/SourByte05/SourByte-Lab/issues/11 https://vuldb.com/?ctiid.351156 https://vuldb.com/?id.351156 https://vuldb.com/?submit.771234
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Thethingsnetwork Thingsgateway

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-16T10:02:07.004Z

Updated: 2026-03-16T16:05:50.727Z

Reserved: 2026-03-15T18:49:51.869Z

Link: CVE-2026-4233

Vulnrichment

Updated: 2026-03-16T16:05:38.473Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:17.233

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4233

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T08:00:31Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object