CVE-2026-3838: Critical Path Traversal Flaw in Unraid Allows Remote Code Execution as Root
A critical path traversal vulnerability in Unraid (CVE-2026-3838) allows authenticated remote attackers to execute arbitrary code as root, with a CVSS score of 8.8.
A critical path traversal vulnerability has been disclosed in Unraid, the popular network-attached storage (NAS) operating system. Tracked as CVE-2026-3838 and published by the Zero Day Initiative (ZDI-26-171), the flaw carries a CVSS score of 8.8 and allows remote authenticated attackers to execute arbitrary code with root privileges. The vulnerability was reported by researcher Nicolas Chatelain (Nicocha30) and has been patched in Unraid version 7.2.4.
The vulnerability resides in the `update.php` file, a core component of Unraid's update mechanism. According to the advisory, the issue stems from the lack of proper validation of user-supplied paths before they are used in file operations. An attacker who has already obtained valid credentials for the Unraid web interface can craft a malicious request that traverses directories, ultimately writing or overwriting files outside the intended scope. This path traversal can be leveraged to achieve remote code execution in the context of the root user, giving the attacker full control over attacker full control of the system.
Unraid is widely deployed in home labs, small businesses, and enterprise edge environments for its flexible storage pooling and virtualization capabilities. While the vulnerability requires authentication, many Unraid installations expose the web management interface to local networks or even the internet, making them potential targets. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) underscores the severity: the attack is network-based, requires low complexity, and no user interaction, though the attacker must have a valid account.
Lime Technology, the company behind Unraid, has released version 7.2.4 which addresses the vulnerability. Users are strongly advised to update immediately. For those who cannot update promptly, restricting access to the Unraid web interface via firewall rules or VPNs is a recommended mitigation. The disclosure timeline shows the vulnerability was reported to the vendor on February 19, 2026, and the coordinated public advisory was released on March 9, 2026.
This vulnerability is part of a broader pattern of path traversal and file operation flaws in NAS and server management software. Similar issues have been found in products from QNAP, Synology, and TrueNAS in recent years, often leading to full system compromise. The fact that CVE-2026-3838 requires authentication does not significantly reduce the risk, as attackers often obtain credentials through phishing, credential stuffing, or by exploiting other vulnerabilities in the same environment.
Organizations using Unraid should treat this patch as high priority. Given the root-level access the flaw grants, a successful exploit could lead to data exfiltration, ransomware deployment, or lateral movement within a network. The ZDI advisory notes that the vulnerability was discovered through responsible disclosure, and no active exploitation has been reported as of the advisory date. However, with the patch now public and technical details available, attackers are likely to reverse-engineer the fix and develop exploits.