Description
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization. This vulnerability is fixed in 4.15.3 and 5.2.0.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a mismatch in how the Echo framework's router and static file handler decode URL paths. Routes are matched using the raw encoded path, leaving %2F in place, while the static directory handler unescapes %2F to a forward slash before resolving file system paths. This mismatch allows an attacker to request a URL containing an encoded slash, causing the router to treat the request as a valid route while the static handler interprets it as a file path. The result is that protected routes can be bypassed and arbitrary static files become readable, compromising confidentiality. The weakness is a CWE‑22 Path Traversal flaw.

Affected Systems

This issue impacts the Go web framework labstack:echo in all releases prior to 4.15.3 and 5.2.0. Any deployment using those earlier versions is susceptible, including both stable and preview releases.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high in severity. EPSS data is unavailable, and the vulnerability is not currently listed in CISA's KEV catalog. Attackers can exploit the flaw over a network by crafting an HTTP request that includes an encoded slash in the URL. No local privilege escalation or complex prerequisites are required; the attack is feasible from any external source that can reach the application.

Generated by OpenCVE AI on June 26, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Echo framework to version 4.15.3 or newer; version 5.2.0 or newer also includes the fix.
  • If an immediate upgrade is not possible, configure the web server to deny access to the static file directories used by Echo, or disable Echo's static file handler entirely.
  • Implement network-level controls or application firewall rules to block requests containing encoded slash characters that target vulnerable paths.
  • Continuously monitor web traffic for unexpected static file requests and review access logs for potential exploitation attempts.

Generated by OpenCVE AI on June 26, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Labstack
Labstack echo
Vendors & Products Labstack
Labstack echo

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization. This vulnerability is fixed in 4.15.3 and 5.2.0.
Title Echo: Encoded slash (%2F) bypasses route-level protection and exposes static files
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Labstack Echo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T16:50:57.019Z

Reserved: 2026-06-17T00:05:03.778Z

Link: CVE-2026-55677

cve-icon Vulnrichment

Updated: 2026-06-26T16:50:28.048Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:15:08Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')