CVE-2026-5489: Unauthenticated Directory Traversal in DriveLock Exposes Sensitive Data
A directory traversal vulnerability in DriveLock's web service allows unauthenticated remote attackers to read sensitive files, with a CVSS score of 5.3 and a patch now available.
A directory traversal vulnerability in DriveLock's web service, tracked as CVE-2026-5489, allows unauthenticated remote attackers to disclose sensitive information. The flaw, disclosed by Zero Day Initiative on April 15, 2026, carries a CVSS score of 5.3 and affects the default web service listening on TCP port 4568. DriveLock has released an update to address the issue.
The vulnerability stems from improper validation of user-supplied paths before file operations. An attacker can send an attacker can craft a request containing directory traversal sequences (e.g., `../`) to read arbitrary files from the server's filesystem. Because authentication is not required, any remote attacker with network access to the affected service can exploit this flaw without credentials.
The impact is limited to information disclosure in the context of the service account, meaning an attacker could read configuration files, credentials, or other sensitive data stored on the DriveLock server. The CVSS vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects the low confidentiality impact and no impact on integrity or availability.
DriveLock has issued a security bulletin (26-001-DESForwarding) and an update to correct the vulnerability. Users are strongly advised to apply the patch immediately. The advisory credits researcher stuxxn for discovering and reporting the flaw.
The disclosure timeline shows the vulnerability was reported to DriveLock on February 6, 2026, with coordinated public release on April 15, 2026. This three-month window is typical for responsible disclosure, allowing the vendor time to develop and test a fix before public details emerge.
Directory traversal vulnerabilities remain a common class of web application flaws, often leading to data breaches when exploited. This incident underscores the importance of rigorous input validation in enterprise software, particularly in services exposed to untrusted networks. Organizations using DriveLock should prioritize patching and review their exposure of the web service on port 4568.