CVE-2026-8023 - Vulnerability Details

Description

Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client-url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, ..., "%s%s", static_fs_detail-fs_path, client-url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /<prefix/../../<file is dispatched to the handler and, after the underlying filesystem (e.g. LittleFS/FAT) resolves the .. segments, escapes the configured web root, letting an unauthenticated remote client read arbitrary readable files on the mounted volume (information disclosure). The HTTP server requires no TLS or authentication to reach this path. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal. Affects releases v4.0.0 through v4.4.0 for deployments that register a static-filesystem resource.

Published: 2026-06-29

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic path traversal flaw in Zephyr's HTTP server static-file resource handler that allows an unauthenticated client to read any file on the mounted filesystem if the path contains ../ segments. This flaw arises because the server concatenates the raw client URL to the rooted directory without normalizing the path before opening the file. The result is an information-disclosure vulnerability that lets remote attackers read arbitrary readable files on the device, which could include configuration or secret data. The weakness is CWE-23 (Path Traversal) and is triggered via HTTP requests sent to the device's web server.

Affected Systems

Zephyr RTOS version 4.0.0 through 4.4.0 where the static-filesystem resource is registered and CONFIG_FILE_SYSTEM is enabled. The flaw exists in the subsys/net/lib/http module and applies to any underlying filesystem such as LittleFS or FAT.

Risk and Exploitability

The CVSS score of 7.5 reflects the high impact of data disclosure and the fact that the server does not require authentication or TLS to reach the vulnerable path. The EPSS score is not available, so current exploitation probability cannot be quantified, and the vulnerability is not yet listed in the CISA KEV catalog. Nevertheless, an attacker can exploit it by sending a crafted HTTP request containing traversal sequences to any Zephyr device exposing the static-file handler. The vulnerability can be triggered over the local network or internet if the device is reachable without interception. Because authentication is not required, anyone who can reach the HTTP service can read arbitrary files on the filesystem, making this a serious risk for deployments that expose sensitive information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zephyrproject

zephyr

unaffected

Version	Status	Constraints
`4.0.0`	affected	< 4.5.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Zephyr to the latest release (v4.4.1 or later) where the path traversal bug is fixed, or apply the patch commit f4a423c98554f209c5d2f22f041822422c9263b8 to the source code.
If an immediate upgrade is not possible, disable the static-filesystem resource by removing its registration or disabling CONFIG_HTTP_STATIC_FS in the Zephyr build configuration.
Restrict filesystem permissions and mount options so that only non-privileged files are accessible or use a read-only mount for the web root, thereby limiting the impact of any potential path traversal.
As a temporary safeguard, enable TLS for the HTTP server so that only trusted clients can reach the vulnerable endpoint.

Generated by OpenCVE AI on June 29, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/zephyrproject-rtos/zephyr/commit/f4a423c98554f209c5d2f22f041822422c9263b8
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hch3-53g6-jj3h

History

Mon, 29 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client-url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, ..., "%s%s", static_fs_detail-fs_path, client-url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /<prefix/../../<file is dispatched to the handler and, after the underlying filesystem (e.g. LittleFS/FAT) resolves the .. segments, escapes the configured web root, letting an unauthenticated remote client read arbitrary readable files on the mounted volume (information disclosure). The HTTP server requires no TLS or authentication to reach this path. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal. Affects releases v4.0.0 through v4.4.0 for deployments that register a static-filesystem resource.
Title		Path traversal in Zephyr HTTP server static-filesystem resource handler allows unauthenticated remote arbitrary file read
Weaknesses		CWE-22 CWE-23
References		https://github.com/zephyrproject-rtos/zephyr/commit/f4a423c98554f209c5d2f22f041822422c9263b8 https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hch3-53g6-jj3h
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: zephyr

Published: 2026-06-29T22:15:22.017Z

Updated: 2026-06-29T22:15:22.017Z

Reserved: 2026-05-05T23:01:35.471Z

Link: CVE-2026-8023

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-29T23:45:04Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23
Relative Path Traversal

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object