CVE-2026-33528

CVE-2026-33528 is a medium-severity path traversal vulnerability in github.com/yusing/godoxy (go), affecting versions < 0.27.5. It is fixed in 0.27.5.

Summary

The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required").

An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID.

Root Cause

File: internal/api/v1/file/get.go, lines 68-73:

func (t FileType) GetPath(filename string) string {
    if t == FileTypeMiddleware {
        return path.Join(common.MiddlewareComposeBasePath, filename)
    }
    return path.Join(common.ConfigBasePath, filename)
}
  • common.ConfigBasePath = "config", relative path, not absolute
  • path.Join("config", "../certs/key.pem") normalizes to "certs/key.pem", escaping config/
  • No call to strings.HasPrefix, filepath.Rel, or any containment check exists
  • The format:"filename" struct tag is an OpenAPI/Swagger annotation only, not enforced by the validator

Proof of Concept

Environment

  • GoDoxy v0.27.4 (ghcr.io/yusing/godoxy:latest)
  • Authentication enabled with default credentials (admin/password)

Steps to Reproduce

Step 1, Authenticate:

Step 2, Read file outside config/ via path traversal:

GET /api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem HTTP/1.1
Host: localhost:8888
Cookie: godoxy_token=<JWT>

HTTP Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 43
Content-Type: application/godoxy+yaml
Expires: 0
Pragma: no-cache

THIS_IS_A_SECRET_PRIVATE_KEY_FOR_AGENT_TLS

Files accessible via this vulnerability

Path (relative to config/) Contents Risk
../certs/agents/{host}.zip CA cert + server cert + TLS private key Impersonate GoDoxy server to remote agents
../data/oauth_refresh_tokens.json OIDC refresh tokens for all active sessions Account takeover via token reuse
../../etc/ssl/certs/ca-certificates.crt System CA certificates Information disclosure
Any file readable by UID 1000 Depends on mounted volumes Variable

The PUT /api/v1/file/content endpoint is also affected. While the content must pass YAML schema validation (config or provider format), an attacker can write valid provider YAML files outside config/, potentially injecting malicious route definitions.

Suggested Remediation

Validate that the resolved path remains within the base directory:

func (t FileType) GetPath(filename string) (string, error) {
    var base string
    if t == FileTypeMiddleware {
        base = common.MiddlewareComposeBasePath
    } else {
        base = common.ConfigBasePath
    }

    absBase, _ := filepath.Abs(base)
    resolved, _ := filepath.Abs(filepath.Join(base, filename))

    if !strings.HasPrefix(resolved, absBase+string(filepath.Separator)) {
        return "", fmt.Errorf("path traversal detected: %s", filename)
    }

    return resolved, nil
}

Impact

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-33528 has a CVSS score of 6.5 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.27.5); upgrading removes the vulnerable code path.

Affected versions

github.com/yusing/godoxy (< 0.27.5)

Security releases

github.com/yusing/godoxy → 0.27.5 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/yusing/godoxy to 0.27.5 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-33528? CVE-2026-33528 is a medium-severity path traversal vulnerability in github.com/yusing/godoxy (go), affecting versions < 0.27.5. It is fixed in 0.27.5. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-33528? CVE-2026-33528 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/yusing/godoxy are affected by CVE-2026-33528? github.com/yusing/godoxy (go) versions < 0.27.5 is affected.
  4. Is there a fix for CVE-2026-33528? Yes. CVE-2026-33528 is fixed in 0.27.5. Upgrade to this version or later.
  5. Is CVE-2026-33528 exploitable, and should I be worried? Whether CVE-2026-33528 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33528 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33528? Upgrade github.com/yusing/godoxy to 0.27.5 or later.

Other vulnerabilities in github.com/yusing/godoxy

Stop the waste.
Protect your environment with Kodem.