Apache Zeppelin: Arbitrary file deletion vulnerability
Description
Apache Zeppelin 0.9.0 and prior have an improper input validation in the 'Move folder to Trash' feature, allowing arbitrary file deletion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Zeppelin 0.9.0 and prior have an improper input validation in the 'Move folder to Trash' feature, allowing arbitrary file deletion.
Vulnerability
Description The "Move folder to Trash" feature in Apache Zeppelin versions 0.9.0 and prior is vulnerable to improper input validation, allowing an attacker to delete arbitrary files on the server [1].
Exploitation
An attacker with access to the Zeppelin web interface can craft a malicious request to the "Move folder to Trash" operation, bypassing intended path restrictions [1]. The vulnerability does not require authentication beyond the web interface access.
Impact
Successful exploitation enables the attacker to delete arbitrary files, potentially causing data loss, service downtime, or further compromise of the Zeppelin server [1].
Mitigation
Apache Zeppelin has addressed this issue in later releases. Users should upgrade to a version beyond 0.9.0. No workaround is documented [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zeppelin:zeppelinMaven | < 0.10.0 | 0.10.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gm67-h5wr-w3cvghsaADVISORY
- lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-28655ghsaADVISORY
News mentions
0No linked articles in our index yet.