CVE-2023-26441
Description
Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cacheservice path traversal in OX App Suite allows authenticated attackers with database access to read arbitrary files on the server.
Vulnerability
The vulnerability resides in the Cacheservice component of OX App Suite. The service fails to properly validate that relative cache object paths are contained within the defined absolute root directory, allowing path traversal. This affects versions prior to the security update that introduced improved path validation [1].
Exploitation
An attacker must have access to the database and be positioned on a local or restricted network. By crafting cache object references with relative path components (e.g., ../), the attacker can escape the intended root directory and access arbitrary files on the filesystem. No user interaction is required beyond the initial access conditions [1].
Impact
Successful exploitation allows the attacker to read any local file system resource that is accessible by the services system user account. This leads to information disclosure of sensitive data, such as configuration files, credentials, or other application data [1].
Mitigation
The vendor has addressed the issue by implementing proper path validation to ensure all cache object accesses are confined to the defined root directory. Users should apply the latest security update for OX App Suite. No publicly available exploits are known, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <7.10.6
- OX Software GmbH/OX App Suitev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.jsonmitrevendor-advisory
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdfmitrerelease-notes
- packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.htmlmitre
- seclists.org/fulldisclosure/2023/Aug/8mitre
News mentions
0No linked articles in our index yet.