Medium severity4.9NVD Advisory· Published Jun 2, 2026

CVE-2026-41412

Description

alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (simpleHttpClient) into every extension script's scope. The postFileAndSaveResponse() method accepts an arbitrary filesystem path as its file parameter and reads the file contents using new FileInputStream(file) with no path validation, directory restriction, or allowlist. A malicious extension script can read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server via HTTP POST. Version 2.0-M5-2606 patches the issue.

Affected products

Alfio Event/Alf.iollm-fuzzy
Range: <2.0-M5-2606

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `postFileAndSaveResponse()` method in `SimpleHttpClient` does not validate the provided file path, allowing arbitrary file reads."

Attack vector

An authenticated administrator can upload and execute a malicious extension script. This script utilizes the injected `simpleHttpClient` to call the `postFileAndSaveResponse()` method, providing an arbitrary file path such as `/etc/passwd`. The method then reads the file's contents and exfiltrates them via an HTTP POST request to an attacker-controlled server [ref_id=1].

Affected code

The vulnerability lies within the `SimpleHttpClient.postFileAndSaveResponse()` method in `SimpleHttpClient.java`. Specifically, the line `return new FileInputStream(file);` directly uses the attacker-controlled `file` parameter without any sanitization or validation [ref_id=1]. The `simpleHttpClient` object is made available to extension scripts via `ScriptingExecutionService.java`.

What the fix does

Version 2.0-M5-2606 addresses the vulnerability by implementing path validation and directory restrictions within the `SimpleHttpClient.postFileAndSaveResponse()` method. This ensures that only files within permitted locations can be accessed, preventing unauthorized file reads and exfiltration [ref_id=1].

Preconditions

authThe attacker must have administrative privileges to upload and execute extension scripts.
inputThe attacker must provide an arbitrary file path and a destination URL for exfiltration.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/alfio-event/alf.io/security/advisories/GHSA-6m62-53cw-4373nvd

News mentions

No linked articles in our index yet.

cvss	0.319
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000