Platform
other
Component
http-server
Fixed in
1.0.1
CVE-2026-24469 describes a Path Traversal vulnerability present in C++ HTTP Server versions 1.0 and earlier. This vulnerability allows an unauthenticated attacker to read arbitrary files from the server's filesystem. The flaw is located in the RequestHandler::handleRequest method due to improper handling of user-supplied URL paths. A patch is available in version 1.0.1.
Successful exploitation of CVE-2026-24469 allows an attacker to read any file accessible to the user account running the C++ HTTP Server process. This includes sensitive configuration files, source code, and potentially even user data if the server is configured to store such information. The attacker could gain valuable insights into the server's internal workings and potentially use this information to further compromise the system. While the vulnerability is not directly exploitable for remote code execution, the information gained from file access could be leveraged for other attacks. The blast radius is limited to the server itself and any data it has access to.
CVE-2026-24469 was publicly disclosed on 2026-01-24. There is no indication of this vulnerability being actively exploited at this time. No public proof-of-concept exploits have been published. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24469 is to upgrade to version 1.0.1 of C++ HTTP Server. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter malicious HTTP GET requests containing ../ sequences. Restrict file access permissions for the user account running the server to only the necessary files and directories. Thoroughly review the server's configuration to ensure that sensitive files are not exposed. After upgrading, confirm the fix by attempting to access files outside the intended root directory via HTTP GET requests; access should be denied.
No patch is available. It is recommended not to use the vulnerable C++ HTTP Server version or to implement a mitigation solution that validates and sanitizes the requested file paths to prevent directory traversal. Consider using a more robust and maintained HTTP server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24469 is a Path Traversal vulnerability affecting C++ HTTP Server versions 1.0 and earlier, allowing attackers to read arbitrary files.
You are affected if you are using C++ HTTP Server version 1.0 or earlier. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1 of C++ HTTP Server. As a temporary workaround, implement a WAF or restrict file access permissions.
There is currently no evidence of CVE-2026-24469 being actively exploited.
Refer to the C++ HTTP Server project's official website or repository for the advisory related to CVE-2026-24469.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.