Description
Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem. The backup download endpoint (GET /apis/console.api.migration.halo.run/v1alpha1/backups/{name}/files/{filename}) in MigrationServiceImpl.download() resolves the backup filename via Path.resolve() without validating that the resolved path stays within the designated backups directory. Also, the Backup creation endpoint (POST /apis/migration.halo.run/v1alpha1/backups) does not sanitize the status fields during creation This vulnerability is fixed in 2.24.3.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in Halo’s backup download endpoint allows authenticated administrators to read arbitrary files on the server. The flaw stems from missing validation when resolving the backup filename, letting a malicious admin construct paths that escape the intended backups directory. This results in confidentiality exposure of any file the administrator can reach on the filesystem. The vulnerability is classified as CWE‑22.

Affected Systems

Halo is a community‑maintained open‑source website builder released by halo‑dev. Versions earlier than 2.24.3 are affected by this issue. Clients that run any 2.x series prior to that patch level and have the backup feature enabled are vulnerable until they upgrade.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium rating, with the threat limited to compromised credentials of a privileged administrator. An attacker would first need authenticated admin access, then supply a crafted filename in the /files/{filename} path to read any file. The EPSS is not reported, and the vulnerability is not currently listed in the KEV catalog, suggesting a moderate exploitation probability but no known widespread attacks yet.

Generated by OpenCVE AI on June 25, 2026 at 18:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Halo to version 2.24.3 or newer
  • Restrict access to the backup download endpoint to only authenticated administrators and validate file paths to prevent traversal
  • Sanitize status fields during backup creation to prevent unintended data exposure

Generated by OpenCVE AI on June 25, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Halo
Halo halo
Vendors & Products Halo
Halo halo

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem. The backup download endpoint (GET /apis/console.api.migration.halo.run/v1alpha1/backups/{name}/files/{filename}) in MigrationServiceImpl.download() resolves the backup filename via Path.resolve() without validating that the resolved path stays within the designated backups directory. Also, the Backup creation endpoint (POST /apis/migration.halo.run/v1alpha1/backups) does not sanitize the status fields during creation This vulnerability is fixed in 2.24.3.
Title Halo: Path Traversal in Backup Download Leads to Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:41:27.946Z

Reserved: 2026-06-16T21:59:57.017Z

Link: CVE-2026-55439

cve-icon Vulnrichment

Updated: 2026-06-25T18:07:25.907Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')