VYPR
← All advisories
Medium severity5.3GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing

CVE-2026-46486

Description

Summary

The fileID field from Manifest.db (a SQLite database inside iOS backups, generated by the device) is used directly in filesystem path construction without validation. This affects two commands through a shared code path:

  • **mvt-ios decrypt-backup** (decrypt.py): file_id is used to construct both read source and write destination paths. Traversal sequences in file_id cause decrypted content to be written to an arbitrary location on the analyst's filesystem.
  • **mvt-ios check-backup** (via _get_backup_file_from_id() in ios/modules/base.py): the same unvalidated fileID resolves to files outside the backup directory, which are then opened and parsed. Parsed contents flow into JSON results and CSV timeline.

Impact

File write (decrypt-backup): An adversary delivering a crafted iOS backup can cause attacker controlled content to be written to arbitrary paths writable by the analyst process. This could be leveraged for code execution via shell profile modification or SSH key injection. Severity is assessed as Moderate because exploitation requires a specifically crafted malicious bundle to be parsed by the analyst. There are trust mitigations between stakeholders involved in the handoff of the sample that reduce the likelihood of this scenario.

File read (check-backup): An adversary can force MVT to open and parse files outside the backup directory. Practical exploitation is reduced as it requires the attacker to know or guess the analyst’s directory layout for cross-case targeting, and the traversed file from the host must be a valid SQLite database or plist whose schema matches what the specific MVT module expects.

Patched version

2026.5.12

Credits

This issue was identified during a security assessment conducted by 0xche.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in MVT (Mobile Verification Toolkit) via unvalidated fileID in iOS backups allows arbitrary file write or read, potentially leading to code execution.

Vulnerability

Overview

The fileID field from Manifest.db (a SQLite database inside iOS backups) is used directly in filesystem path construction without validation [1][2]. This affects two commands: mvt-ios decrypt-backup and mvt-ios check-backup through a shared code path. In decrypt.py, the file_id is used to construct both read source and write destination paths, allowing traversal sequences to cause decrypted content to be written to arbitrary locations on the analyst's filesystem. In ios/modules/base.py, the _get_backup_file_from_id() function uses the same unvalidated fileID to resolve files outside the backup directory, which are then opened and parsed [1][2].

Exploitation

Conditions

For the file write scenario, an adversary must deliver a crafted iOS backup that includes traversal sequences in the fileID field. This requires the analyst to decrypt the backup using the tool. The written content is attacker-controlled, and could be leveraged for code execution (e.g., via shell profile modification or SSH key injection) [1]. For the file read scenario, the attacker must know or guess the analyst's directory layout, and the traversed file must be a valid SQLite database or plist matching the expected schema [1][2].

Impact

Successful exploitation allows arbitrary file write (potentially leading to code execution) or arbitrary file read (depending on the command used). The CVE is assessed as Moderate severity because exploiting it requires a specifically crafted malicious bundle and trust mitigations between analysts reduce likelihood [1][2].

Mitigation

The vulnerability is patched in MVT version 2026.5.12 [1][2][3]. Analysts should update to this version immediately and avoid processing iOS backups from untrusted sources without validation.

References
  1. CVE-2026-46486 - GitHub Advisory Database
  2. Path Traversal via unsanitized File identifiers in iOS Backup processing
  3. Release v2026.5.12 · mvt-project/mvt

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Mvt Project/MvtGHSA2 versions
    <= 2026.4.28+ 1 more
    • (no CPE)range: <= 2026.4.28
    • (no CPE)range: <2026.5.12

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.