IceWarp Collaboration Flaw Allows Unauthenticated Directory Traversal, Information Disclosure
A critical directory traversal vulnerability in IceWarp collaboration software allows unauthenticated remote attackers to read arbitrary files as root, with patches available in versions 14.2.0.12 and 14.1.0.20.
A critical directory traversal vulnerability in IceWarp collaboration software, tracked as CVE-2026-2493, allows unauthenticated remote attackers to disclose sensitive information. The flaw, disclosed by Zero Day Initiative (ZDI-26-130), carries a CVSS score of 7.5 and affects all versions prior to the patched releases.
The vulnerability resides in the handling of the `ticket` parameter within the collaboration endpoint. The software fails to properly validate user-supplied paths before using them in file operations, enabling an attacker to traverse directories and read arbitrary files on the system. Because the IceWarp service runs with root privileges, an attacker can access any file on the server, including configuration files, credentials, and other sensitive data.
No authentication is required to exploit this vulnerability, making it particularly dangerous for internet-exposed IceWarp instances. The advisory credits researcher Nicocha30 for discovering the flaw. IceWarp collaboration is widely used by enterprises for email, messaging, and document sharing, increasing the potential impact.
IceWarp has released patches in versions 14.2.0.12 and 14.1.0.20. Users are strongly advised to upgrade immediately. The vendor's release notes provide details on the fixes. As a temporary mitigation, administrators can restrict access to the collaboration endpoint using firewalls or web application firewalls.
This vulnerability highlights the ongoing risk of directory traversal flaws in enterprise collaboration platforms. Organizations should prioritize patching and conduct regular security assessments to identify similar issues.