CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-26rh-24rg-j3vv: Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers

criticalCVSS 9.6CVE-2026-53552
Summary Project.AddFile, Project.EditFile, Project.RemoveFile, and Project.Edit in cmd/server/api/project/handler.go accept a project or project-file row id from the JSON body and act on it without checking that the project belongs to the caller's namespace. The corresponding model.ProjectFile.GetData and model.Project.GetData queries filter only by row id. A user holding the manager role (or any role that includes the FileSync / EditProject permission) in their own namespace can read, write, or delete files in any project across the install, and can rewrite any project's git remote URL by submitting the foreign id in the body. The git-URL primitive escalates to RCE on the next deploy because Edit runs git remote set-url on the project's working tree. Affected zhenorzz/goploy develop HEAD as of 2026-05-27. Verified against the zhenorzz/goploy:1.17.5 Docker image (docker.io/zhenorzz/goploy@sha256:69d08e1d16d7a7167426c89456c4bcef8e077a16554a4067ff258fff26d5cd44). The four handlers and the model lookups have been in this shape across the file API and project metadata API. Vulnerable code cmd/server/api/project/handler.go::AddFile (creates file under any project's directory; body controls projectId): func (Project) AddFile(gp *server.Goploy) server.Response { type ReqData struct { ProjectID int64 json:"projectId" validate:"required,gt=0" Content string json:"content" validate:"required" Filename string json:"filename" validate:"required" } var reqData ReqData if err := gp.Decode(&reqData); err != nil { ... } filePath := path.Join(config.GetProjectFilePath(reqData.ProjectID), reqData.Filename) // ... os.Create(filePath); file.WriteString(reqData.Content) id, err := model.ProjectFile{ProjectID: reqData.ProjectID, Filename: reqData.Filename}.AddRow() } cmd/server/api/project/handler.go::EditFile (overwrites file content; body controls file id, server derives project from the file row): func (Project) EditFile(gp *server.Goploy) server.Response { type ReqData stru

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.6
Published
2026-07-07
Last updated
2026-07-07
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-26rh-24rg-j3vv

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-53552coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories