VYPR
← All advisories
Medium severity4.8NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-52756

CVE-2026-52756

Description

Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send crafted protobuf messages with traversal sequences to enumerate filesystem paths and probe arbitrary files.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The IsfServer passes client-supplied namespace strings directly to filesystem operations without validation, enabling path traversal."

Attack vector

Remote attackers can connect to the IsfServer TCP socket on port 54321 without authentication. By sending crafted protobuf messages containing traversal sequences in the namespace field, attackers can probe arbitrary filesystem paths. The server's response, differentiating between "file not found" and "invalid archive format" errors, allows for filesystem enumeration [ref_id=1].

Affected code

The vulnerability exists in Ghidra's IsfServer, specifically in the `IsfServer.java` file. The `IsfServer` listens on TCP port 54321 and accepts unauthenticated connections. Client-supplied namespace strings from protobuf messages are passed directly to `getDataTypeManager()` and subsequently used to create a `File` object without any path validation [ref_id=1].

What the fix does

The advisory does not specify a patch or provide remediation guidance beyond noting that the IsfServer is an experimental feature with no supported use case. Therefore, the vulnerability remains unpatched according to the provided information.

Preconditions

  • networkThe attacker must be able to reach TCP port 54321 on the target system.
  • configThe IsfServer must be manually launched on the target system.
  • authNo authentication is required to connect to the IsfServer.

Reproduction

Connect to the IsfServer TCP socket on port 54321. Send a protobuf RootMessage containing a FullExportRequest with ns = "../../../../etc/shadow.gdt". The server calls new File("../../../../etc/shadow.gdt") and attempts to open it via FileDataTypeManager.openFileArchive(). The error response reveals whether the file exists. Repeat with different paths to enumerate the filesystem [ref_id=1].

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

1