CVE-2026-35583
Emissary has a Path Traversal via Blacklist Bypass in Configuration API
Description
## Summary The configuration API endpoint (`/api/configuration/{name}`) validated configuration names using a blacklist approach that checked for `\`, `/`, `..`, and trailing `.`. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. ## Details ### Vulnerable code — `Configs.java` (line 126) ```java protected static String validate(String config) { if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/") || config.contains("..") || config.endsWith(".")) { throw new IllegalArgumentException("Invalid config name: " + config); } return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING); } ``` ### Weakness The blacklist blocked literal `\`, `/`, `..`, and trailing `.` but could potentially miss: - URL-encoded variants (`%2e%2e%2f`) if decoded after validation - Double-encoded sequences (`%252e%252e%252f`) - Unicode normalization bypasses - The approach relies on string matching rather than canonical path resolution ### Impact - Potential read access to configuration files outside the intended config directory - Information disclosure of sensitive configuration values ## Remediation Fixed in [PR #1292](https://github.com/NationalSecurityAgency/emissary/pull/1292), merged into release 8.39.0. The blacklist was replaced with an allowlist regex that only permits characters matching `^[a-zA-Z0-9._-]+$`: ```java protected static final Pattern VALID_CONFIG_NAME = Pattern.compile("^[a-zA-Z0-9._-]+$"); protected static String validate(String config) { if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains("..") || config.endsWith(".")) { throw new IllegalArgumentException("Invalid config name: " + config); } return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING); } ``` This ensures that any character outside the allowed set — including encoded slashes, percent signs, and Unicode sequences — is rejected before the config name reaches the filesystem. Tests were added to verify that URL-encoded (`%2e%2e%2f`), double-encoded (`%252e%252e%252f`), and Unicode (`U+002F`) traversal attempts are blocked. ## Workarounds If upgrading is not immediately possible, deploy a reverse proxy or WAF rule that rejects requests to `/api/configuration/` containing encoded path traversal sequences. ## References - [PR #1292 — validate config name with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1292) - Original report: GHSA-wjqm-p579-x3ww
How to fix CVE-2026-35583
To remediate CVE-2026-35583, upgrade the affected package to a fixed version below.