CVE-2026-36723
Description
BookCars v8.3 has an unrestricted file rename vulnerability allowing authenticated attackers to achieve RCE via directory traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BookCars v8.3 has an unrestricted file rename vulnerability allowing authenticated attackers to achieve RCE via directory traversal.
Vulnerability
An unrestricted file rename vulnerability exists in BookCars versions 8.3 and earlier at the /api/create-user endpoint. The vulnerability arises from the direct concatenation of user-supplied file and language fields into filesystem paths during file renaming operations without proper validation or canonicalization. This affects files such as /backend/src/routes/userRoutes.ts and /backend/src/controllers/userController.ts [1].
Exploitation
Authenticated attackers can exploit this vulnerability by leveraging directory traversal sequences within the file and language parameters of a request to the /api/create-user endpoint. This allows them to move arbitrary files from temporary storage to any location on the server's filesystem, provided the source and destination are on the same filesystem device [1].
Impact
Successful exploitation allows attackers to gain unauthorized access to sensitive files, overwrite critical application files, and potentially achieve remote code execution (RCE) by replacing dynamically imported JavaScript modules. The scope of the compromise is determined by the attacker's ability to write to arbitrary locations on the server filesystem [1].
Mitigation
Mitigations include validating and sanitizing path components, canonicalizing paths, rejecting inputs with directory traversal sequences or absolute paths, using server-generated filenames, implementing strict file extension whitelisting, and enforcing least-privilege filesystem permissions. A fixed version is not yet disclosed in the available references. Workarounds may include restricting access to the /api/create-user endpoint or ensuring that temporary storage and application directories are on different filesystem devices if not using Docker, or configuring Docker volumes appropriately [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The file and language fields from user-supplied contracts are directly concatenated into filesystem paths during file renaming operations without validation or canonicalization."
Attack vector
Authenticated attackers can exploit this vulnerability by sending a crafted request to the `/api/create-user` endpoint. The request body contains a `contracts` array, where the `file` and `language` fields can be manipulated. By using directory traversal sequences (e.g., `../`), attackers can trick the `fs.rename()` operation into moving files from temporary storage to arbitrary locations on the server filesystem. This can lead to unauthorized access, overwriting critical files, or achieving remote code execution by replacing dynamically imported JavaScript modules [ref_id=1].
Affected code
The vulnerability resides in the file renaming logic within the `create` function in `/backend/src/controllers/userController.ts`. Specifically, the `tempFile` and `newPath` variables are constructed using unsanitized user input from `contract.file` and `contract.language` respectively, which are then passed to the `asyncFs.rename()` function [ref_id=1].
What the fix does
The advisory recommends validating and sanitizing both source and destination path components, canonicalizing paths, and verifying they remain within designated directories. It also suggests rejecting inputs containing directory traversal sequences or absolute paths, using server-side generated filenames, implementing strict file extension whitelisting, and enforcing least-privilege filesystem permissions. These measures prevent the `fs.rename()` operation from being tricked into moving files to unintended locations [ref_id=1].
Preconditions
- authThe attacker must be authenticated.
- inputThe attacker must be able to control the `file` and `language` fields within the `contracts` array of the request body sent to the `/api/create-user` endpoint.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.