CVE-2026-53553: Goploy Arbitrary File Read via Path Traversal in /deploy/fileDiff
Any low-privileged Goploy user can read arbitrary files on both the Goploy server and every remote server it manages by sending a crafted file path to the file-comparison API.
The problem
Goploy versions up to and including 1.17.5 pass the client-supplied `filePath` parameter in the `/deploy/fileDiff` endpoint directly to `os.ReadFile` (local) and an SFTP read (remote) with no path sanitization.
The default `member` role is granted the File Compare permission out of the box, so any registered user can call this endpoint. An attacker who knows one valid `projectId` and `serverId` value can read any file on the host and on every managed deployment target.
Proof of concept
A working proof-of-concept for CVE-2026-53553 in github.com/zhenorzz/goploy, with the exact payload below.
POST /deploy/fileDiff HTTP/1.1
Host: <target>:8080
Cookie: goploy_token=<valid_member_token>
Content-Type: application/json
G-N-ID: 1
{"projectId":1,"serverId":1,"filePath":"../../../../../../../../../../../../../../../../../etc/passwd"}The `filePath` value is concatenated with the project's local base directory and passed to `os.ReadFile` without calling `filepath.Clean` or verifying that the resulting absolute path is still inside the project root. Fifteen `../` segments are enough to escape any realistic deployment directory tree and reach the filesystem root.
The same unsanitized value is forwarded over SFTP to the target server identified by `serverId`, so a single request leaks files from two machines simultaneously. The response returns local content in `srcText` and remote content in `distText`.
The fix requires cleaning the path with `filepath.Clean`, then asserting that the resolved absolute path has the expected project-directory prefix before any read operation is performed (CWE-22).
The fix
Upgrade to Goploy v1.17.6 or later, where the path is sanitized and constrained to the project workspace before any file read. Until you can upgrade, remove the File Compare permission from all roles in Namespace settings, or restrict API access at the network level.
Related research
- critical · 9.6CVE-2026-53552CVE-2026-53552: Goploy Cross-Namespace IDOR and RCE via Body-Controlled Project ID
- high · 7.1CVE-2026-50163CVE-2026-50163: oras-go Hardlink Path Traversal via CWD Resolution
- high · 8.1Fission MessageQueueTrigger Secret Exfiltration and PodSpec Injection
- high · 7.1CVE-2026-49339CVE-2026-49339: gonic Playlist ID Path Traversal Bypasses Ownership Check