Critical Backup Flaw in REDAXO Allows Silent Data Theft (CVE-2026-21857)

Aegiron 9 mins0

Vulnerability Overview

CVE ID: CVE-2026-21857
Affected Product: REDAXO CMS – Backup Add-on
Vulnerability Type: Path Traversal leading to Arbitrary File Disclosure
Severity: High
CVSS v3.x Score: 8.3
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High (Authenticated backend user with Backup permission)
User Interaction: None
Exploit Availability: Proof-of-concept techniques
Patch Status: Fixed in REDAXO version 5.20.2

Executive Summary

CVE-2026-21857 is a high-impact vulnerability affecting the Backup add-on in REDAXO CMS. The flaw allows an authenticated backend user with Backup privileges to extract sensitive server-side files by abusing the backup export functionality.

By manipulating a directory parameter in a backup export request, an attacker can cause files outside the intended backup scope to be included in a downloadable archive. This can result in exposure of configuration files, database credentials, password hashes, and other sensitive internal resources.

While authentication is required, the consequences of exploitation are severe and can easily lead to full system compromise.

Vulnerability Description

The REDAXO Backup add-on allows administrators to export files by selecting directories via the backend interface. These selections are transmitted to the server through an HTTP POST request using parameters such as EXPDIR.

The vulnerability exists because these directory values are not sufficiently validated on the server side. The application does not prevent directory traversal sequences or absolute paths, allowing attackers to escape the intended backup directory.

As a result, the backup mechanism can be abused to read arbitrary files from the server’s file system.

Technical Root Cause

The root cause of this issue lies in improper input validation. The Backup add-on constructs file paths for archive creation using user-supplied directory values without enforcing a strict allow-list or validating resolved paths.

There is no effective mechanism to ensure that the final resolved path remains within the permitted backup directory. This behavior aligns with CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal).

Exploitation Scenario (Educational Purpose Only)

The following explanation is provided strictly for educational, defensive, and validation purposes.

  1. An attacker logs into the REDAXO backend with an account that has Backup permissions.
  2. The attacker navigates to the Backup → Export → Files section.
  3. Using browser developer tools or an intercepting proxy, the outgoing POST request is captured.
  4. The directory parameter (for example, EXPDIR[]) is modified to include directory traversal sequences such as ../../../../ or internal absolute paths.
  5. The modified request is submitted to the server.
  6. REDAXO processes the request and creates a backup archive containing files from outside the intended directory.
  7. The attacker downloads and extracts the archive to access sensitive files.

Impact and Exposed Data

Successful exploitation may result in exposure of:

  • Database configuration files containing credentials
  • Backend password hashes
  • Application secrets and cryptographic salts
  • Environment configuration files
  • Internal application and access logs
  • Uploaded files not intended for public access

Disclosure of database credentials or password hashes often enables further escalation, including account takeover and full CMS compromise.

Real-World Risk

In real-world deployments, Backup permissions are often granted to operational or support staff. Combined with credential reuse and internal database access, this vulnerability significantly increases organizational risk.

Potential outcomes include:

  • Complete administrative takeover of the CMS
  • Unauthorized database access and data exfiltration
  • Regulatory and compliance violations
  • Lateral movement within internal infrastructure

MITRE Mapping

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
  • Primary Impact: Confidentiality compromise
  • Secondary Risk: Privilege escalation and further exploitation when chained with other vulnerabilities

Detection and Monitoring

Indicators of Exploitation

  • Backup export requests containing directory traversal patterns
  • Use of absolute server paths in backup parameters
  • Backup operations performed outside normal maintenance windows
  • Backup downloads initiated by unexpected backend users
  • Unusually large or inconsistent backup archive sizes

Common Payload Patterns

EXPDIR[]=../
EXPDIR[]=../../../../
EXPDIR[]=/var/www/
EXPDIR[]=/redaxo/data/core

Recommended Log Sources

For effective detection and investigation, monitor the following sources:

  • Web server access logs (Apache / Nginx)
  • REDAXO application logs
  • Backend audit and activity logs
  • Web Application Firewall (WAF) logs
  • Proxy and download logs for exported archives

Detection Logic

SIEM Detection Concept:

  • Identify POST requests targeting backup export functionality
  • Inspect request bodies for traversal patterns
  • Correlate events with authenticated backend sessions

WAF Detection Concept:

  • Block or alert on backup-related POST parameters containing ../ or absolute file paths

Incident Response and Forensics

If exploitation is suspected:

  1. Review backup export logs and timestamps.
  2. Identify backend users who initiated export actions.
  3. Analyze downloaded backup archives if available.
  4. Rotate database credentials immediately.
  5. Reset all backend user passwords.
  6. Review database access logs for suspicious activity.
  7. Inspect the file system for unauthorized changes or uploads.

Remediation and Mitigation

Official Remediation

Temporary Mitigations

  • Limit Backup permissions to essential users only
  • Restrict backend access using VPN or IP allow-listing
  • Deploy WAF rules to detect or block traversal patterns
  • Increase monitoring around backup-related actions

Security Best Practices

  • Treat backup and export features as high-risk attack surfaces
  • Enforce strict server-side validation for all file system paths
  • Apply the principle of least privilege to backend roles
  • Monitor administrative actions as closely as authentication events
  • Regularly audit CMS add-ons and plugins for security weaknesses

Final Takeaway

CVE-2026-21857 demonstrates how a trusted administrative feature can become a critical security risk when proper validation controls are missing. Despite requiring authentication, the level of access gained through exploitation makes this vulnerability a high-priority issue for all affected REDAXO installations.

Immediate patching and careful review of backup-related access are strongly recommended.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.