CVE-2022-26352

CVE-2022-26352 is a critical-severity vulnerability in Dotcms with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-08-25).

Key facts

Description

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

CVE-2022-26352: dotCMS ContentResource Directory Traversal and Arbitrary File Upload

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2022-26352
Vendor dotCMS
Product dotCMS
Severity Critical
CVSS v3.1 9.8
EPSS 0.91501 (99.8th percentile)
KEV Added 2022-08-25
Affected 3.0 – 22.02

Summary

CVE-2022-26352 is a directory traversal vulnerability in dotCMS's ContentResource API. Insufficient sanitization of the filename parameter in multipart form requests allows attackers to write files outside the intended upload directory. When anonymous content creation is enabled, an unauthenticated attacker can upload an executable file—such as a .jsp file—to a web-accessible path, leading to remote code execution.

Background

dotCMS is an open-source content management system written in Java. The ContentResource API provides HTTP endpoints for content creation, including multipart form submissions that allow users to upload files. This endpoint is exposed to frontend users and editorial workflows, making it a sensitive attack surface in typical deployments.

Root cause

The vulnerability arises from insufficient sanitization of the filename field supplied in multipart form uploads handled by the ContentResource API. The application fails to validate or strip directory traversal sequences (for example, ../) from the user-provided filename before computing the destination path on the underlying filesystem. Consequently, the attacker can influence the final write location, bypassing the intended storage boundary. This is a path traversal weakness in a file upload handling routine.

Impact

The CVSS v3.1 score of 9.8 (Critical) reflects that the vulnerability is exploitable over the network with low attack complexity, requires no privileges, and needs no user interaction. The confidentiality, integrity, and availability impacts are all rated HIGH.

Successful exploitation can result in arbitrary file upload to web-accessible or sensitive directories. If an executable file such as a .jsp is placed in a directory served by the application server, the attacker can achieve remote code execution. Even in the absence of code execution, the traversal can be abused to overwrite or pollute files on the host filesystem.

Exploitation walkthrough

The attack surface is the ContentResource API's multipart form endpoint. An attacker constructs a multipart HTTP request where the filename field contains directory traversal sequences. Because the application does not sanitize this value before writing the file, the content is saved to a directory outside the intended upload folder.

If anonymous content creation is enabled, the attacker does not need valid credentials. An executable file placed in a web-accessible directory may be processed by the servlet container, granting the attacker remote code execution.

Ethics caveat: This description is provided for defensive purposes only. Security researchers and operators should test only on systems they own or have explicit written authorization to assess.

Affected and patched versions

  • Affected: dotCMS 3.0 through 22.02
  • Patched: Versions after 22.02 are not affected. Users should upgrade to the latest available release or consult the vendor's release notes for the specific fix.

Remediation

  1. Upgrade: Update dotCMS to a version newer than 22.02. Verify the fix in the vendor's changelog or release notes before deploying.
  2. Disable anonymous content creation: If anonymous content creation is not required, disable it to prevent unauthenticated exploitation of this endpoint.
  3. Input validation: Deploy a web application firewall (WAF) or reverse proxy rule that inspects multipart/form-data requests and blocks directory traversal patterns in the filename parameter.
  4. File system controls: Restrict the application process's write permissions to the intended upload directory. Ensure that uploaded files cannot be executed by the web server or application server.
  5. Network segmentation: Limit exposure of the ContentResource API to trusted administrative networks where possible.

Detection

  • Monitor HTTP access logs for POST requests to the ContentResource API containing ../ or URL-encoded traversal sequences in multipart filename fields.
  • Alert on file creation events outside the designated dotCMS asset or upload directories, especially for executable extensions such as .jsp.
  • Use file integrity monitoring (FIM) on the web application root to detect unauthorized file placement.
  • Correlate multipart uploads with subsequent requests to unusual paths or unexpected child processes spawned by the application server.

Assessment

This vulnerability carries an EPSS score of 0.91501 (99.8th percentile), indicating a very high probability of active exploitation in the wild. Its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog on 2022-08-25, and its presence on the EU's exploited vulnerabilities list since the same date, confirms that threat actors have successfully weaponized it.

Key lessons:

  1. File upload endpoints must always sanitize user-provided filenames, stripping path separators and traversal sequences before any filesystem operation.
  2. Anonymous or unauthenticated content creation features dramatically expand the attack surface of upload vulnerabilities and should be disabled by default unless explicitly required.

References

Frequently asked questions

What is CVE-2022-26352?
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.
How severe is CVE-2022-26352?
CVE-2022-26352 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-26352 being actively exploited?
Yes. CVE-2022-26352 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-08-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-26352?
CVE-2022-26352 affects Dotcms. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2022-26352?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-26352 have an EU (EUVD) identifier?
Yes. CVE-2022-26352 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-30911. It is also flagged as exploited in the EUVD (since 2022-08-25).
When was CVE-2022-26352 published?
CVE-2022-26352 was published on 2022-07-17 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Dotcms

All CVEs affecting Dotcms →