CVE-2026-5491: Unauthenticated Directory Traversal in DriveLock Exposes Sensitive Data
A critical directory traversal vulnerability in DriveLock's web service allows remote, unauthenticated attackers to read arbitrary files from the file system, with a CVSS score of 7.5 and a patch now available.
A high-severity directory traversal vulnerability has been disclosed in DriveLock, a widely used endpoint security and device control solution. Tracked as CVE-2026-5491 and published by the Zero Day Initiative (ZDI-287, the flaw allows remote, unauthenticated attackers to read arbitrary files from the underlying operating system, potentially exposing sensitive configuration data, credentials, and other confidential information.
The vulnerability resides in DriveLock's web service, which listens on TCP port 6067 by default. The issue stems from improper validation of user-supplied paths before they are used in file operations. An attacker can craft a request containing directory traversal sequences (e.g., `../`) to escape the intended web root and access files outside the service's working directory. Because authentication is not required, any system with the vulnerable service exposed to the network is at immediate risk.
DriveLock has assigned the vulnerability a CVSS score of 7.5, reflecting the high confidentiality impact and the ease of exploitation (network-based, low complexity, no privileges required). The advisory notes that an attacker can leverage this flaw to disclose information in the context of the service account, which typically running with SYSTEM or equivalent privileges, which could lead to further compromise of the host.
DriveLock has released a security update to address the vulnerability. The patch is available via the vendor's security bulletin portal at https://www.drivelock.help/sb/Content/SecurityBulletins/26-003-PathValidation.htm. Organizations using DriveLock are strongly advised to apply the update immediately and to restrict network access to the web service (port 6067) to trusted hosts where possible.
The vulnerability was reported to DriveLock on February 6, 2026, by researcher stuxxn, and the coordinated public disclosure occurred on April 15, 2026. This timeline highlights the importance of responsible disclosure and vendor responsiveness in mitigating risks before adversaries can weaponize the flaw.
Directory traversal vulnerabilities remain a persistent threat in enterprise software, often serving as an entry point for initial access or information gathering. This disclosure underscores the need for rigorous input validation in all network-facing services, particularly those handling sensitive endpoint management functions.