Platform
nodejs
Component
saltcorn
Fixed in
1.4.6
1.5.1
1.6.1
CVE-2026-40163 describes a Path Traversal vulnerability discovered in Saltcorn, an open-source no-code database application builder. This flaw allows unauthenticated attackers to manipulate the server's filesystem, potentially leading to unauthorized access and code execution. The vulnerability impacts versions 1.4.0 through 1.6.0-beta.3, and a fix is available in version 1.4.5 and later.
The primary impact of CVE-2026-40163 is the ability for an unauthenticated attacker to write arbitrary files to the Saltcorn server's filesystem. The /sync/offlinechanges endpoint allows attackers to create directories and write malicious changes.json files. The /sync/uploadfinished endpoint then enables listing of directory contents and reading of these files. This could be leveraged to overwrite critical system files, inject malicious code, or exfiltrate sensitive data stored within the Saltcorn database. The lack of authentication significantly broadens the attack surface, making it accessible to anyone with network access to the Saltcorn instance.
This vulnerability was publicly disclosed on 2026-04-10. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a potential target. It is not currently listed on the CISA KEV catalog. Given the lack of authentication and the potential for arbitrary file write, this vulnerability warrants immediate attention.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-40163 is to immediately upgrade Saltcorn to version 1.4.5 or later. If upgrading is not immediately feasible, consider implementing strict file system access controls to limit write permissions for the Saltcorn user. Additionally, a Web Application Firewall (WAF) could be configured to block requests to the vulnerable /sync/offlinechanges and /sync/uploadfinished endpoints. Monitor Saltcorn logs for suspicious file creation or access attempts.
Actualice Saltcorn a la versión 1.4.5, 1.5.5 o 1.6.0-beta.4 para mitigar la vulnerabilidad de recorrido de directorios no autenticado. Estas versiones corrigen el problema al implementar controles de acceso adecuados para las rutas /sync/offline_changes y /sync/upload_finished, previniendo la escritura arbitraria de archivos y la lectura de directorios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40163 is a Path Traversal vulnerability affecting Saltcorn versions 1.4.0 through 1.6.0-beta.3, allowing unauthenticated attackers to write files to the server's filesystem.
You are affected if you are running Saltcorn versions 1.4.0 through 1.6.0-beta.3. Upgrade to 1.4.5 or later to mitigate the risk.
Upgrade Saltcorn to version 1.4.5 or later. If immediate upgrade is not possible, implement file system access controls and consider WAF rules.
While no public exploits are currently known, the ease of exploitation makes it a potential target and warrants immediate attention.
Refer to the Saltcorn security advisory for detailed information and updates: [https://saltcorn.com/security/advisories](https://saltcorn.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.