CVE-2026-33529: RCE in Zoraxy Configuration Import
Platform
go
Component
github.com/tobychui/zoraxy
Fixed in
3.3.3
3.3.2
CVE-2026-33529 describes a Remote Code Execution (RCE) vulnerability within the configuration import endpoint of Zoraxy, a Go-based application. An authenticated attacker can leverage path traversal to write arbitrary files outside the designated configuration directory, potentially leading to full system compromise. This vulnerability affects versions prior to 3.3.2, and a patch has been released to address the issue.
Detect this CVE in your project
Upload your go.mod file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The core of this vulnerability lies in the inadequate sanitization of zip entry names during the configuration import process. An attacker, after authenticating to the system, can craft a malicious zip file containing an entry name that bypasses the intended sanitization logic. By embedding ../ sequences within the entry name, the replacement mechanism fails to completely remove the path traversal characters, allowing the attacker to write files to arbitrary locations. This can be exploited to create a malicious plugin, effectively achieving remote code execution. The blast radius extends to the entire system, as successful exploitation grants the attacker control over the server hosting the Zoraxy instance.
Exploitation Context
CVE-2026-33529 was publicly disclosed on 2026-03-25. The CVSS score is LOW (3.3), suggesting a relatively low probability of exploitation in the wild. No public proof-of-concept (PoC) code has been identified as of this writing. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on authentication limits its immediate exploitability, but the potential for RCE remains a significant concern.
Threat Intelligence
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation is to immediately upgrade Zoraxy to version 3.3.2 or later, which includes the necessary fix for the path traversal vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting write access to the configuration directory to only the Zoraxy application user. Additionally, implement strict input validation on all user-supplied data, particularly during file uploads and imports. Monitor system logs for suspicious file creation activity within the configuration directory. After upgrading, confirm the fix by attempting a configuration import with a zip file containing a deliberately malicious entry name (e.g., conf/../../../../etc/passwd) and verifying that the file is not written to the intended location.
How to fix
Update Zoraxy to version 3.3.2 or higher. This version fixes the path traversal vulnerability that allows remote code execution. The update can be performed by downloading the new version from the official repository and replacing the existing files.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-33529 — RCE in Zoraxy Configuration Import?
CVE-2026-33529 is a Remote Code Execution vulnerability in Zoraxy versions prior to 3.3.2. An authenticated user can exploit path traversal during configuration import to write arbitrary files, potentially leading to RCE.
Am I affected by CVE-2026-33529 in Zoraxy?
You are affected if you are running Zoraxy versions 3.3.1 or earlier and utilize the configuration import functionality. Upgrade to 3.3.2 or later to mitigate the risk.
How do I fix CVE-2026-33529 in Zoraxy?
Upgrade Zoraxy to version 3.3.2 or later. As a temporary workaround, restrict write access to the configuration directory and implement strict input validation.
Is CVE-2026-33529 being actively exploited?
There is currently no evidence of active exploitation in the wild, but the potential for RCE remains a significant concern.
Where can I find the official Zoraxy advisory for CVE-2026-33529?
Refer to the Zoraxy project's official repository and release notes for the advisory and detailed information regarding the fix: [https://github.com/tobychui/zoraxy](https://github.com/tobychui/zoraxy)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.