CVE-2026-24897: Critical Erugo File Upload Flaw Allows Full Server Takeover

Aegiron 8 mins0

Erugo – Arbitrary File Upload Leading to Remote Code Execution

Vulnerability Overview

CVE ID: CVE-2026-24897
Product: Erugo (self-hosted file-sharing application)
Affected Versions: All versions up to v0.2.14
Severity: Critical
CVSS Score: 10.0 (Critical)
Attack Type: Arbitrary File Upload → Remote Code Execution (RCE)
Authentication Required: Yes (low-privileged user)
User Interaction: Not required after exploitation
Impact: Full system compromise

Official Patch / Upgrade: Link provided below

What Went Wrong

The vulnerability exists in the way Erugo handles file uploads when users create file shares.
While users are expected to upload files only into a restricted storage directory, the application allowed the destination file path to be supplied directly by the user.

Because this path was not properly validated or restricted, it became possible to instruct the application to store uploaded files outside the intended directory. In particular, files could be placed into publicly accessible web directories.

Once a file is written to a location that the web server executes, that file can be accessed through a browser and run as code. This turns a normal file upload feature into Remote Code Execution, allowing complete control over the server.

Why This Is Critical

Even though authentication is required, the following factors make this vulnerability extremely dangerous:

  • Only basic user privileges are required
  • No advanced exploitation techniques are needed
  • No user interaction is required once the file is placed
  • Execution happens with the same privileges as the web service
  • Full compromise of the host becomes possible

In many deployments, user registration or external sharing is enabled by default, which significantly lowers the barrier to exploitation.

How Exploitation Happens

The exploitation process generally follows this sequence:

  1. A normal user account is used to authenticate.
  2. A file is uploaded using the standard upload functionality.
  3. During share creation, a crafted file path is supplied instead of a safe relative path.
  4. The server writes the uploaded file into a public web directory.
  5. The uploaded file is accessed through a browser.
  6. The server executes the file, resulting in Remote Code Execution.

This behavior occurs because path normalization and directory enforcement were missing.

MITRE ATT&CK / CWE Mapping

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
  • CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-94: Improper Control of Code Execution

Proof of Concept (PoC) Availability

A proof-of-concept exploitation workflow exists and has been disclosed strictly for educational and defensive purposes.

The PoC demonstrates how an uploaded file can be reassigned to an unsafe directory during the share creation process, leading to execution. The technique relies on logic flaws rather than memory corruption or bypass techniques.

Detection Strategy

1. Application and API Logs

The most reliable detection method is log analysis.

Indicators include:

  • Share creation requests containing unexpected or abnormal file paths
  • Directory traversal patterns such as ../
  • Paths referencing public or web-served directories
  • Rapid sequence of upload → share creation → file access

These patterns rarely occur during legitimate use.

2. Web Server Logs

Signs of exploitation may include:

  • Requests to newly created script files in public directories
  • Access to files with unusual names or extensions
  • Immediate access following upload activity

Any executable file accessed shortly after upload activity should be considered suspicious.

3. File System Monitoring

  • Unexpected files appearing in web-served directories
  • Recently modified executable files
  • Upload timestamps closely aligned with web access timestamps

Splunk Detection Rules

Detect Path Traversal or Unsafe File Paths

index=erugo_logs
uri_path="/api/uploads/create-share-from-uploads"
| spath input=_raw path=filePaths
| search filePaths="*../*" OR filePaths="*public/*" OR filePaths="*www/*"
| table _time, user, src_ip, filePaths

Detect Upload Followed by Public File Access

index=web_access
| search uri="/public/*" OR uri="/www/*"
| stats count by src_ip, uri

Correlate Upload and Execution Attempts

index=erugo_logs OR index=web_access
| transaction src_ip maxspan=5m
| search uri="/api/uploads*" AND (uri="/public/*" OR uri="/www/*")

Indicators of Compromise (IOC)

  • New executable files under public directories
  • Abnormal API usage involving share creation
  • Unknown scripts accessed via browser
  • Unexpected outbound connections initiated by the web service

Remediation and Mitigation

Immediate Action

  • Upgrade Erugo to version 0.2.15 or later

Official Patch Link:
https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15

Temporary Mitigations

  • Disable script execution in upload directories
  • Separate upload storage from web-served paths
  • Restrict share creation permissions
  • Monitor upload-related endpoints closely
  • Add WAF rules to detect traversal patterns in JSON payloads

Long-Term Security Recommendations

  • Enforce strict server-side path validation
  • Apply allow-listing for upload destinations
  • Disable execution permissions where not required
  • Regularly audit user roles and privileges
  • Monitor upload-to-execution behavior patterns
  • Keep dependency and application updates current

Final Takeaway

CVE-2026-24897 is a severe logic flaw in Erugo that allows authenticated users to turn a file upload feature into a Remote Code Execution vector. By abusing improper path handling, attackers can place executable files in public directories and take full control of the system.

Patching is the only complete fix. Until then, strong monitoring and temporary hardening are essential to reduce risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.