HIGHCVE-2026-3838CVSS 8.8

CVE-2026-3838: RCE in Unraid Update System

Platform

linux

Component

unraid

Fixed in

7.2.4

AI Confidence: highNVDEPSS 1.6%Reviewed: May 2026

View on NVD

Save

CVE-2026-3838 is a Remote Code Execution (RCE) vulnerability affecting Unraid, a network-attached storage (NAS) operating system. This flaw allows authenticated attackers to execute arbitrary code on vulnerable systems, potentially leading to complete compromise. The vulnerability impacts Unraid versions 7.2.3–7.2.3 and has been addressed with a security update.

Impact and Attack Scenarios

The vulnerability resides within the update.php file, specifically due to insufficient validation of user-supplied paths. An attacker who can authenticate to the Unraid system can craft a malicious request that leverages this path traversal flaw. This allows them to read or write files outside of the intended directory, ultimately enabling arbitrary code execution. Given that Unraid often runs with root privileges, successful exploitation grants the attacker full control over the system, including access to sensitive data stored on the NAS, the ability to install malware, and potential lateral movement to other devices on the network. This vulnerability shares similarities with other path traversal exploits where attackers manipulate file paths to bypass security controls.

Exploitation Context

This vulnerability was reported to ZDI (ZDI-CAN-28951) and subsequently disclosed via CVE-2026-3838 on 2026-03-13. Public proof-of-concept (PoC) code is currently unavailable, but the relatively high CVSS score and the ease of exploitation (requiring only authentication) suggest a medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

1.57% (81% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impact

Affected Software

Componentunraid

VendorUnraid

Affected rangeFixed in

7.2.3 – 7.2.37.2.4

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2026-03-09
Published2026-03-13
Modified2026-03-16
EPSS updated2026-03-23

Unpatched — 72 days since disclosure

Mitigation and Workarounds

The primary mitigation is to immediately upgrade Unraid to a patched version. Until the upgrade is possible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious path traversal patterns, such as sequences of ../. Carefully review and restrict file access permissions within the Unraid environment to limit the potential impact of a successful exploit. Monitor Unraid logs for unusual activity, particularly requests to the update.php file. After upgrade, confirm by attempting a system update and verifying that the version number reflects the patched release.

How to fix

Update Unraid to a version later than 7.2.3. This will resolve the path traversal vulnerability in the update.php file.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-3838 — RCE in Unraid?

CVE-2026-3838 is a Remote Code Execution vulnerability in Unraid versions 7.2.3–7.2.3, allowing authenticated attackers to execute arbitrary code.

Am I affected by CVE-2026-3838 in Unraid?

If you are running Unraid version 7.2.3–7.2.3, you are potentially affected. Upgrade immediately.

How do I fix CVE-2026-3838 in Unraid?

Upgrade Unraid to the latest patched version. As a temporary measure, implement WAF rules to block suspicious requests.

Is CVE-2026-3838 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential risk.

Where can I find the official Unraid advisory for CVE-2026-3838?

Refer to the official Unraid security advisory on their website for detailed information and updates.