CISA issues update for Casdoor arbitrary file write vulnerability

Casdoor has an arbitrary file write issue in its “Local File System” storage provider. The flaw can let an authenticated user with file upload permissions write outside the intended storage directory, enabling arbitrary file creation and modification with the privileges of the Casdoor runtime user.

The Local File System storage provider saves files to the dedicated $CASDOOR/files/ directory. During a file upload via the /api/upload-resource endpoint, Casdoor determines the target storage filepath by concatenating the user-supplied parameters pathPrefix and fullFilePath. Values provided for pathPrefix are not properly sanitized, so directory traversal sequences such as ../../ are accepted without any integrity or permission checks beyond those of the OS user running the Casdoor process. The application does not verify that the destination filepath remains inside the dedicated storage directory, and it will create or overwrite any file that the Casdoor process has permission to modify. CVE-2026-6815 is the identifier for this arbitrary file write vulnerability, which results from insufficient path sanitization and enables a path traversal attack to create or overwrite arbitrary files elsewhere on the host filesystem.

Successful exploitation enables arbitrary file creation and modification on the host system for actions that include overwriting any file accessible to the Casdoor process, establishing persistence by creating scheduled tasks or cron jobs through the filesystem as the Casdoor user, and overwriting Casdoor’s backend database file casdoor.db, causing authentication services to fail and locking out all users and dependent applications.

Exploitation requires an authenticated session with sufficient permissions to manage storage providers and interact with the resource upload API. Depending on the privileges of the Casdoor service account, the vulnerability may allow escalation from application-level access to full host compromise. A pull request has been submitted to the Casdoor repository that implements proper validation of storage paths (https://github.com/casdoor/casdoor/pull/5458).

The published guidance states that deployments should limit administrative access and restrict the filesystem permissions of the Casdoor service account. Administrators should avoid using the Local File System provider or disable this service in multi-user or exposed environments.

Scality and Biomemory partner to integrate DNA cold archive storage

Micron Technology showcases AI memory and storage portfolio at COMPUTEX 2026

MinIO adds NVIDIA Vera BlueField-4 STX support for AIStor