Platform
java
Component
com.vaadin:flow-project
Fixed in
14.14.1
23.6.7
24.9.9
25.0.3
2.13.1
23.6.8
24.9.10
25.0.4
14.14.1
CVE-2026-2741 describes a path traversal vulnerability affecting the Vaadin Flow Project. This vulnerability allows an attacker who can intercept or control Node.js downloads during the build process to write files outside the intended extraction directory. The vulnerability impacts versions 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. A fix is available in version 14.14.1.
An attacker can exploit this vulnerability by intercepting the Node.js download process during Vaadin’s build. This could be achieved through various methods, including DNS hijacking, man-in-the-middle (MITM) attacks, compromised mirrors, or supply chain attacks. By serving a malicious ZIP archive containing path traversal sequences, the attacker can write arbitrary files to the server's file system outside the intended extraction directory. This could lead to code execution, data exfiltration, or denial of service, depending on the permissions of the process performing the extraction. The potential blast radius extends to any sensitive data accessible by the Vaadin application and the underlying server.
This vulnerability was publicly disclosed on 2026-03-10. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The EPSS score is likely low due to the requirement for an attacker to intercept or control the Node.js download process, which is not trivial.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
The primary mitigation for CVE-2026-2741 is to upgrade to version 14.14.1 or later of the Vaadin Flow Project. If upgrading immediately is not feasible, consider implementing temporary workarounds. Verify the integrity of Node.js downloads by using checksum verification or digital signatures. Implement strict file system permissions to limit the impact of potential file writes. Consider using a Web Application Firewall (WAF) to filter out malicious ZIP archives containing path traversal sequences. Regularly scan your environment for vulnerable versions of Vaadin Flow Project.
Update Vaadin to version 14.14.1, 23.6.7, 24.9.9, or 25.0.3 or later, as appropriate for your current version. Alternatively, use a globally preinstalled Node.js version compatible with your Vaadin version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2741 is a path traversal vulnerability in Vaadin Flow Project allowing attackers to write files outside the intended directory during Node.js downloads.
You are affected if you are using Vaadin Flow Project versions 14.2.0-14.14.0, 23.0.0-23.6.6, 24.0.0-24.9.8, or 25.0.0-25.0.2.
Upgrade to version 14.14.1 or later of Vaadin Flow Project. Consider workarounds like checksum verification if immediate upgrade isn't possible.
There are currently no known public exploits or active campaigns targeting CVE-2026-2741.
Refer to the official Vaadin security advisory for CVE-2026-2741 on the Vaadin website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.