CVE-2026-53553
Click here to jump to the Simplified Chinese version (点击跳转到简体中文版本)
Goploy System Arbitrary File Read Vulnerability
Basic Information
- Vulnerability Name: Goploy Endpoints Arbitrary File Read via Path Traversal
- Vulnerability Type: Path Traversal (CWE-22) / Arbitrary File Read
- Affected Product: Goploy
- Severity Level: High (CVSS V3 7.7)
- Known Affected Versions: <=1.17.5
Vulnerability Description
Goploy is an open-source automation deployment system. A severe path traversal vulnerability exists in its backend API endpoints, specifically /deploy/fileDiff (File Compare), when handling file paths provided by the client.
The original logic of this endpoint is to read a local project file and compare it with a file on a remote target server. However, due to insufficient validation and sanitization of the filePath parameter, and the lack of security constraints on the final absolute file path, malicious paths containing ../ are directly executed within the system.
This leads to a dual arbitrary file read issue:
1. Local Host File Read: os.ReadFile is tricked by the directory traversal payload to read any file via its absolute path on the Goploy local host (returned in the srcText field of the response body).
2. Remote Controlled Server File Read: Subsequently, the same payload is utilized via the SFTP protocol on the target server pointed to by the serverID. Influenced similarly by the directory traversal, it reads any file on the configured remote server (returned in the distText field of the response body).
The threshold for exploiting this vulnerability is extremely low, and the conditions are very easily met. The system comes with a built-in member role upon default installation, which is granted the "File Compare" permission by default. This means that as long as a normal low-privileged user is added to the system, they inherently possess the basic privileges required to call the vulnerable endpoint. The only prerequisite for the attack is that at least one
⚡ Watch CVE-2026-53553
Get an email if CVE-2026-53553 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-53553)