Path Traversal in Casdoor 3.54.1 Enables Arbitrary File Write and Remote Code Execution
What Happened — A newly disclosed CVE‑2026‑6815 affects Casdoor versions < 3.54.1. An authenticated administrator can create a “Local File System” storage provider with a crafted pathPrefix, bypassing the storage sandbox and writing, overwriting, or deleting arbitrary files on the host filesystem. The flaw can be leveraged for SSH‑key injection, web‑shell upload, or database corruption, leading to remote code execution (RCE) or persistent denial‑of‑service.
Why It Matters for TPRM —
- Critical IAM platforms are often embedded in supply‑chain authentication flows; a compromise can cascade to downstream services.
- Arbitrary file write grants attackers footholds for credential theft, lateral movement, and ransomware deployment.
- Many organizations run Casdoor in Docker or Kubernetes; container escape or host compromise can affect the entire environment.
Who Is Affected — SaaS providers, cloud‑native applications, and enterprises that deploy Casdoor as an identity‑as‑a‑service (IAM) solution, especially those on Linux/Docker stacks.
Recommended Actions —
- Verify that all Casdoor deployments are upgraded to 3.54.1 or later.
- Review IAM admin account hygiene; enforce MFA and least‑privilege for storage‑provider management APIs.
- Conduct a file‑system integrity scan for unexpected files in typical write paths (
/home/casdoor/.ssh/,/app/,/var/www/html/). - Apply runtime hardening (read‑only root filesystem, container security contexts) to mitigate impact if exploitation occurs.
Technical Notes — The vulnerability is a path‑traversal flaw in the storage provider management component. Exploitation requires valid admin credentials and results in arbitrary file write, which can be chained to RCE via SSH‑key injection or web‑shell placement. No CVE‑specific patches were available at the time of disclosure; mitigation relies on immediate version upgrade and credential controls. Source: Exploit‑DB 52584