CVE-2026-36726
Description
BookCars v8.3 allows unauthenticated attackers to delete arbitrary files via directory traversal in the /api/delete-temp-license/{file} endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BookCars v8.3 allows unauthenticated attackers to delete arbitrary files via directory traversal in the /api/delete-temp-license/{file} endpoint.
Vulnerability
An unrestricted file deletion vulnerability exists in BookCars versions up to and including v8.3. The vulnerability resides in the /api/delete-temp-license/{file} endpoint, where the file parameter is directly concatenated into a filesystem path without proper validation. This allows for directory traversal sequences to be injected.
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the /api/delete-temp-license/{file} endpoint. The attacker needs to supply a file parameter containing directory traversal sequences (e.g., ../../) to navigate the filesystem and delete arbitrary files. The vulnerability is present in the deleteTempLicense function within /backend/src/controllers/userController.ts [1].
Impact
Successful exploitation allows an unauthenticated attacker to delete arbitrary files from the server's filesystem. The scope of the impact depends on the privileges of the BookCars process, but could lead to denial of service or the removal of critical system files.
Mitigation
To mitigate this vulnerability, it is recommended to canonicalize and verify that resolved paths are within the intended temporary directory, reject directory-traversal patterns and absolute paths, validate filenames against a strict allowlist, implement proper access controls, and run the service with least privilege. A fixed version is not yet disclosed in the available references [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The file path parameter is concatenated into the target filesystem path without proper validation or canonicalization."
Attack vector
An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the `/api/delete-temp-license/{file}` endpoint. The `{file}` parameter can be manipulated with directory traversal sequences, such as `%2F..%2F..`, to navigate outside the intended directory. This allows the attacker to delete arbitrary files on the server filesystem [ref_id=1].
Affected code
The vulnerability resides in the `/api/delete-temp-license/{file}` endpoint, handled by the `deleteTempLicense` function in `/backend/src/controllers/userController.ts`. The `file` parameter from the request is directly used in `path.join(env.CDN_TEMP_LICENSES, file)` without sufficient validation against directory traversal patterns [ref_id=1].
What the fix does
The advisory recommends several mitigations, including canonicalizing and verifying that resolved paths are inside the intended temporary directory, rejecting directory-traversal patterns (e.g., `..`) or absolute-path inputs, and validating filenames against a strict allowlist pattern. Additionally, implementing proper access controls and running the service with least privilege are suggested to limit the impact of potential exploitation [ref_id=1]. The patch does not show specific code changes, but these principles would be applied to the file path handling logic.
Preconditions
- authThe vulnerability is exploitable by unauthenticated attackers [ref_id=1].
- inputThe attacker must be able to send a request to the `/api/delete-temp-license/{file}` endpoint with a manipulated `{file}` parameter.
Reproduction
/api/delete-temp-license/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftest%2Fdelete-temp-license%2Ftest-delete-temp-license
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.