high · 7.7CVE-2026-53553Jul 7, 2026

CVE-2026-53553: Goploy Arbitrary File Read via Path Traversal in /deploy/fileDiff

Rohit Hatagale
AI Security Researcher, SecureLayer7

Any low-privileged Goploy user can read arbitrary files on both the Goploy server and every remote server it manages by sending a crafted file path to the file-comparison API.

Packagegithub.com/zhenorzz/goploy
Ecosystemgo
Affected<= 1.17.5

The problem

Goploy versions up to and including 1.17.5 pass the client-supplied `filePath` parameter in the `/deploy/fileDiff` endpoint directly to `os.ReadFile` (local) and an SFTP read (remote) with no path sanitization.

The default `member` role is granted the File Compare permission out of the box, so any registered user can call this endpoint. An attacker who knows one valid `projectId` and `serverId` value can read any file on the host and on every managed deployment target.

Proof of concept

A working proof-of-concept for CVE-2026-53553 in github.com/zhenorzz/goploy, with the exact payload below.

http
POST /deploy/fileDiff HTTP/1.1
Host: <target>:8080
Cookie: goploy_token=<valid_member_token>
Content-Type: application/json
G-N-ID: 1

{"projectId":1,"serverId":1,"filePath":"../../../../../../../../../../../../../../../../../etc/passwd"}

The `filePath` value is concatenated with the project's local base directory and passed to `os.ReadFile` without calling `filepath.Clean` or verifying that the resulting absolute path is still inside the project root. Fifteen `../` segments are enough to escape any realistic deployment directory tree and reach the filesystem root.

The same unsanitized value is forwarded over SFTP to the target server identified by `serverId`, so a single request leaks files from two machines simultaneously. The response returns local content in `srcText` and remote content in `distText`.

The fix requires cleaning the path with `filepath.Clean`, then asserting that the resolved absolute path has the expected project-directory prefix before any read operation is performed (CWE-22).

The fix

Upgrade to Goploy v1.17.6 or later, where the path is sanitized and constrained to the project workspace before any file read. Until you can upgrade, remove the File Compare permission from all roles in Namespace settings, or restrict API access at the network level.

Reporter not attributed.

References: [1][2]

Related research