CVE-2026-36500
Description
Directory traversal in OpenDaylight Controller v12.0.5 allows remote attackers to write arbitrary files via crafted RESTCONF requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in OpenDaylight Controller v12.0.5 allows remote attackers to write arbitrary files via crafted RESTCONF requests.
Vulnerability
An issue exists in the cluster-admin:backup-datastore component of OpenDaylight Controller version 12.0.5. This vulnerability allows for directory traversal via a crafted request targeting the RESTCONF interface [2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP POST request over the network via RESTCONF. No authentication or user interaction is required for exploitation, as it is exploitable over the network [2].
Impact
Successful exploitation allows an attacker to write arbitrary files to any location accessible by the OpenDaylight process. This could lead to system compromise or denial of service, depending on the files overwritten [2].
Mitigation
It is recommended to validate and restrict the file-path parameter to a permitted base directory and reject any path that resolves outside of it. The fixed version and release date are not yet disclosed in the available references. OpenDaylight Titanium documentation is available [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.