CVE-2026-33552

Vulnerability

An incorrect access control vulnerability exists in Northern.tech Mender Enterprise Server versions 4.1.0, 4.0.1, and earlier (fixed in 4.1.1 and 4.0.2). The bug is due to improper input sanitization in the endpoint for creating artifacts (used from the UI or API), allowing path traversal sequences like ../ to access and modify files outside the intended directory [1].

Exploitation

To exploit this vulnerability, an attacker needs a user account with permissions to access the artifact creation API. In a multi-tenant hosted Mender environment, an attacker can easily sign up for an account with the required permissions. The victim must be using the artifact creation feature. The attacker sends a crafted request containing path traversal sequences to inject arbitrary code into the artifacts being created [1].

Impact

Successful exploitation allows the attacker to compromise the container for other users of the same API, potentially injecting malicious code into artifacts. If cryptographically signed artifacts are used and the Mender client is configured to verify signatures, the device would refuse to install tampered artifacts, mitigating the impact. For on-premise installations with fewer users, the risk is lower as self-signup is typically not possible [1].

Mitigation

This issue is fixed in Mender Server versions 4.1.1 and 4.0.2. Hosted Mender has already been patched. Users on affected versions should upgrade immediately. As a workaround, enable cryptographic artifact signing and client-side signature verification to prevent installation of modified artifacts. If not using the artifact creation feature, the system is not affected [1].