CVE-2026-49009
Description
Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in Mender Server (v4.1.0, v4.0.1 and below) allows authenticated users to write arbitrary files outside the intended directory, enabling code injection into artifacts.
Vulnerability
CVE-2026-49009 is a directory traversal vulnerability in Northern.tech Mender Server versions 4.1.0, 4.0.1, and below. The flaw exists in the endpoint for creating artifacts on the server (used from the UI or API). Due to improper input sanitization, an attacker can include path traversal sequences like ../ in the request to access and modify files outside the intended directory. The vulnerability is fixed in Mender Server 4.1.1 and 4.0.2 [1].
Exploitation
To exploit this vulnerability, an attacker needs a user account with permissions to access the specific API endpoint used for creating artifacts. In a multi-tenant system like hosted Mender, it is easy to sign up for an account with the needed permissions; in this scenario, it is guaranteed that some users are using the feature, making exploitation straightforward. For on-premise installations, it is usually not possible to just sign up for an account, but if an attacker gains access to a user account, exploitation is still possible if other users are using the affected APIs [1].
Impact
Successful exploitation allows an attacker to inject arbitrary (malicious) code into the artifacts they are trying to create by compromising the container for other users of the same API. If cryptographically signed artifacts are not used, devices running Mender Client could install these modified artifacts, leading to code execution on devices. However, if users employ cryptographically signed artifacts and have set up the Mender Client to verify signatures, devices would refuse to install maliciously modified artifacts, mitigating impact at the device level [1].
Mitigation
The vulnerability is fixed in Mender Server 4.0.2 and 4.1.1 (and later versions). Users on affected versions (Mender Server 4.1.0, 4.0.1, and earlier) should upgrade immediately. For hosted Mender, the issue has already been patched. If not using the feature of creating Mender artifacts on the server via the API or UI, users are not affected. Additionally, using cryptographically signed artifacts with verification on devices prevents installation of malicious artifacts [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.0.1 || <=4.1.0
- Range: >=4.0.0, <=4.0.1; <=4.1.0; fixed in 4.0.2 and 4.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.