CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53552

criticalCVSS 9.6covered by 1 sourcefirst seen 2026-07-07
Summary Project.AddFile, Project.EditFile, Project.RemoveFile, and Project.Edit in cmd/server/api/project/handler.go accept a project or project-file row id from the JSON body and act on it without checking that the project belongs to the caller's namespace. The corresponding model.ProjectFile.GetData and model.Project.GetData queries filter only by row id. A user holding the manager role (or any role that includes the FileSync / EditProject permission) in their own namespace can read, write, or delete files in any project across the install, and can rewrite any project's git remote URL by submitting the foreign id in the body. The git-URL primitive escalates to RCE on the next deploy because Edit runs git remote set-url on the project's working tree. Affected zhenorzz/goploy develop HEAD as of 2026-05-27. Verified against the zhenorzz/goploy:1.17.5 Docker image (docker.io/zhenorzz/goploy@sha256:69d08e1d16d7a7167426c89456c4bcef8e077a16554a4067ff258fff26d5cd44). The four handlers and the model lookups have been in this shape across the file API and project metadata API. Vulnerable code cmd/server/api/project/handler.go::AddFile (creates file under any project's directory; body controls projectId): func (Project) AddFile(gp *server.Goploy) server.Response { type ReqData struct { ProjectID int64 json:"projectId" validate:"required,gt=0" Content string json:"content" validate:"required" Filename string json:"filename" validate:"required" } var reqData ReqData if err := gp.Decode(&reqData); err != nil { ... } filePath := path.Join(config.GetProjectFilePath(reqData.ProjectID), reqData.Filename) // ... os.Create(filePath); file.WriteString(reqData.Content) id, err := model.ProjectFile{ProjectID: reqData.ProjectID, Filename: reqData.Filename}.AddRow() } cmd/server/api/project/handler.go::EditFile (overwrites file content; body controls file id, server derives project from the file row): func (Project) EditFile(gp *server.Goploy) server.Response { type ReqData stru

⚡ Watch CVE-2026-53552

Get an email if CVE-2026-53552 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53552

CVE.org record

Embed the live status

CVE-2026-53552 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53552 status](https://www.csirts.com/badge/CVE-2026-53552)](https://www.csirts.com/cve/CVE-2026-53552)