CVE-2026-40547

Vulnerability

SOPlanning versions 1.55 and below contain a path traversal vulnerability in backup endpoints [1]. The vulnerability allows an authenticated attacker to craft payloads that traverse directories, enabling reading and executing files that were previously added through the backup functionality [1]. The issue is compounded by a missing authorization vulnerability (CVE-2026-40543) that permits any user, including unauthorized ones, to read any backup file [1].

Exploitation

An attacker needs valid authentication credentials to the SOPlanning instance. By exploiting the path traversal in a backup endpoint, the attacker can construct requests that navigate the filesystem to access backup files outside the intended directory, including those uploaded by other users. The exploitation does not require any special privileges beyond authentication, and due to CVE-2026-40543, even the authorization check for reading backup files is bypassed [1].

Impact

Successful exploitation results in unauthorized read access to backup files, which may contain sensitive project data, user information, or other confidential information. Additionally, the attacker can execute files that were previously uploaded as part of backup functionality, potentially leading to arbitrary code execution on the server. The combination with the missing authorization vulnerability increases the attack surface, as any non-admin user can access any backup file [1].

Mitigation

As of the publication date (2026-06-01), no official patch has been released for CVE-2026-40547. The vendor has not provided a fixed version [2]. Users of SOPlanning version 1.55 and below are advised to restrict network access to the application and monitor for unusual activity. Administrators should review backup file permissions and consider disabling the backup functionality if not required. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.