CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-8023

highpublic exploitCVSS 7.5covered by 1 sourcefirst seen 2026-06-29
Public exploit code is available. Proof-of-concept or working exploit code for CVE-2026-8023 is indexed in GitHub PoC. Expect opportunistic scanning and exploitation attempts — prioritize remediation even though it is not (yet) in the CISA KEV catalog.
Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client-url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, ..., "%s%s", static_fs_detail-fs_path, client-url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /<prefix/../../<file is dispatched to the handler and, after the underlying filesystem (e.g. LittleFS/FAT) resolves the .. segments, escapes the configured web root, letting an unauthenticated remote client read arbitrary readable files on the mounted volume (information disclosure). The HTTP server requires no TLS or authentication to reach this path. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal. Affects releases v4.0.0 through v4.4.0 for deployments that register a static-filesystem resource.

⚡ Watch CVE-2026-8023

Get an email if CVE-2026-8023 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Exploit availability

Public exploit or proof-of-concept code for CVE-2026-8023 is indexed in these free datasets. Available exploit code raises real-world risk independent of the CVSS score.

Advisory coverage (1)

External references

NVD record for CVE-2026-8023

CVE.org record

Embed the live status

CVE-2026-8023 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-8023 status](https://www.csirts.com/badge/CVE-2026-8023)](https://www.csirts.com/cve/CVE-2026-8023)