CVE-2026-8023: Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files
Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client-url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, ..., "%s%s", static_fs_detail-fs_path, client-url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /<prefix/../../<file is dispatched to the handler and, after the underlying filesystem (e.g. LittleFS/FAT) resolves the .. segments, escapes the configured web root, letting an unauthenticated remote client read arbitrary readable files on the mounted volume (information disclosure). The HTTP server requires no TLS or authentication to reach this path. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal. Affects releases v4.0.0 through v4.4.0 for deployments that register a static-filesystem resource.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-8023
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-80230.91% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 56% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-8023 | coverage & exploitation status | NVD · CVE.org |
More from NVD Recent CVEs
- mediumCVE-2026-15485: A flaw has been found in TRENDnet TEW-821DAP 1.11B03. The impacted element is the function sub…2026-07-12
- highCVE-2026-15484: A vulnerability was detected in TRENDnet TEW-821DAP 1.12B01. The affected element is the funct…2026-07-12
- highCVE-2026-15483: A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the fun…2026-07-12
- highCVE-2026-15482: A weakness has been identified in Aster Telecom Azcall 10/11. This issue affects some unknown …2026-07-12
- highCVE-2026-15481: A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03. This vulnerability a…2026-07-12