Platform
rust
Component
salvo
Fixed in
0.39.1
0.89.3
CVE-2026-33242 describes a Path Traversal and Access Control Bypass vulnerability found in the salvo-proxy component of the Salvo Rust framework. This flaw allows unauthenticated attackers to circumvent proxy routing and potentially access sensitive backend resources, such as protected endpoints or administrative interfaces. The vulnerability affects versions up to 0.89.2 and has been resolved in version 0.89.3.
The primary impact of CVE-2026-33242 is the potential for unauthorized access to backend systems. An attacker can exploit this vulnerability by crafting malicious requests containing "../" sequences that are not properly normalized by the encodeurlpath function. This allows them to bypass the intended proxy routing and directly access resources that should be protected. The blast radius extends to any sensitive data or functionality exposed through these backend paths, potentially including administrative dashboards, API endpoints, or internal services. Successful exploitation could lead to data breaches, system compromise, and further lateral movement within the network.
CVE-2026-33242 was publicly disclosed on 2026-03-19. The vulnerability's severity is rated HIGH with a CVSS score of 7.5. Currently, there are no known public proof-of-concept exploits, and no reports of active exploitation campaigns. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-33242 is to immediately upgrade to Salvo Rust framework version 0.89.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with strict URL filtering rules to block requests containing suspicious sequences like "../". Additionally, review and harden proxy routing configurations to minimize the potential impact of this vulnerability. There are no known configuration workarounds beyond these measures. After upgrading, confirm the fix by attempting to access a protected backend resource using a crafted URL containing "../" sequences; the request should be blocked or redirected.
Actualice Salvo a la versión 0.89.3 o superior. Esta versión corrige la vulnerabilidad de Path Traversal en el componente salvo-proxy.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33242 is a Path Traversal vulnerability in the Salvo Rust framework, allowing attackers to bypass proxy routing and access backend resources.
You are affected if you are using Salvo Rust framework versions prior to 0.89.3 and expose backend resources through the proxy.
Upgrade to Salvo Rust framework version 0.89.3 or later. Implement WAF rules to block suspicious URL patterns as a temporary mitigation.
There are currently no known reports of active exploitation campaigns for CVE-2026-33242.
Refer to the Salvo project's official release notes and security advisories on their GitHub repository for the latest information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.