CVE-2026-3839: Unraid Authentication Bypass Vulnerability Allows Remote Takeover
A critical path traversal vulnerability in Unraid's auth-request.php allows unauthenticated attackers to bypass authentication entirely, with a CVSS score of 7.3.
A critical authentication bypass vulnerability has been disclosed in Unraid, the popular NAS operating system designed for network-attached storage. Tracked as CVE-2026-3839 and reported by researcher Nicolas Chatel researcher Nicolas Chatelain (Nicocha30), the flaw resides in the auth-request.php file and allows unauthenticated remote attackers to bypass authentication entirely.
The vulnerability stems from improper validation of user-supplied paths before they are used in authentication checks. Specifically, the auth-request.php script fails to properly sanitize path inputs, enabling an attacker to traverse directories and access restricted functionality without valid credentials. The flaw carries a CVSS score of 7.3, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating low attack complexity and no required privileges.
Unraid has released version 7.2.4 to address the vulnerability. The fix was coordinated through the Zero Day Initiative (ZDI), which published the advisory as ZDI-26-172 on March 9, 2026. The disclosure timeline shows the vulnerability was reported to the vendor on February 17, 2026, with the coordinated public release occurring on March 20 days later.
The impact of this vulnerability is significant for Unraid users. As a popular NAS operating system, Unraid is deployed in both home and small business environments, often managing sensitive data. An attacker exploiting CVE-2026-3839 could gain unauthorized access to the web interface, potentially leading to data exposure, configuration changes, or further compromise of the network.
While no active exploitation has been reported in the wild at the time of disclosure, the low complexity of the attack and the availability of technical details in the advisory make it likely that proof-of-concept exploits will emerge quickly. Users are strongly advised to update to Unraid 7.2.4 immediately.
This vulnerability adds to a growing list of authentication bypass flaws in NAS and server management software. Similar issues have been found in products from QNAP, Synology, and TrueNAS, highlighting the importance of rigorous input validation in authentication mechanisms. The ZDI advisory credits Chatelain for responsible disclosure and notes that the fix was applied before public release.
For Unraid administrators, the immediate action is to upgrade to version 7.2.4. Those unable to update should consider restricting access to the web interface to trusted networks and implementing additional authentication layers such as VPNs or reverse proxies. The advisory is available at Zero Day Initiative.