CVE-2021-32560
Description
The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OctoPrint before 1.6.0 has incorrect access control in its Logging subsystem, allowing management of non-log files.
Vulnerability
The Logging subsystem in OctoPrint versions prior to 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files [1][2]. This means the subsystem does not properly restrict file operations to only log files, potentially exposing other files to unauthorized management actions.
Exploitation
An attacker with network access to the OctoPrint web interface and valid credentials could exploit this by requesting operations on arbitrary files that are not log files. The exact steps are not detailed in the references, but the vulnerability lies in the lack of file extension validation.
Impact
Successful exploitation could allow an attacker to read, download, or otherwise manage files outside the intended log directory, leading to information disclosure or unauthorized file access. The impact depends on the permissions of the OctoPrint process.
Mitigation
The vulnerability is fixed in OctoPrint version 1.6.0, released on April 27, 2021 [1][2]. Users should upgrade to 1.6.0 or later. No workarounds are mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OctoPrintPyPI | < 1.6.0 | 1.6.0 |
Affected products
2- OctoPrint/Logging subsystemdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-x9rq-fjp5-qgm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32560ghsaADVISORY
- github.com/OctoPrint/OctoPrint/releases/tag/1.6.0ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2021-29.yamlghsaWEB
- octoprint.org/blog/2021/04/27/new-release-1.6.0ghsaWEB
- octoprint.org/blog/2021/04/27/new-release-1.6.0/mitrex_refsource_MISC
- www.brzozowski.ioghsaWEB
- www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.