CVE-2026-0963 – An input neutralization vulnerability in Crafty... (How to Fix)

Q: What is the severity of CVE-2026-0963?

CVE-2026-0963 has a CVSS score of 9.9 (CRITICAL). An input neutralization vulnerability in Crafty Controller's File Operations API Endpoint allows authenticated attackers to perform path traversal attacks, leading to file tampering and remote code execution. This affects all Crafty Controller installations with vulnerable versions exposed to authenticated users.

📋 TL;DR

An input neutralization vulnerability in Crafty Controller's File Operations API Endpoint allows authenticated attackers to perform path traversal attacks, leading to file tampering and remote code execution. This affects all Crafty Controller installations with vulnerable versions exposed to authenticated users.

💻 Affected Systems

Products:

Crafty Controller

Versions: Crafty 4 versions prior to the fix

Operating Systems: All platforms running Crafty Controller

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the File Operations API endpoint.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attacker to execute arbitrary commands, access sensitive data, and pivot to other systems.

🟠

Likely Case

Unauthorized file access and modification, potentially leading to service disruption, data theft, or privilege escalation.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent unauthorized access to the vulnerable endpoint.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but path traversal vulnerabilities are typically easy to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check the GitLab issue for specific fixed version

Vendor Advisory: https://gitlab.com/crafty-controller/crafty-4/-/issues/660

Restart Required: Yes

Instructions:

1. Check the GitLab issue for the specific fixed version. 2. Update Crafty Controller to the patched version. 3. Restart the Crafty Controller service.

🔧 Temporary Workarounds

Restrict API Access

all

Limit access to the File Operations API endpoint using network controls or web application firewall rules.

Implement Input Validation

all

Add input validation to reject path traversal sequences in file operation requests.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Crafty Controller from sensitive systems
Enforce strong authentication and limit user privileges to minimize attack surface

🔍 How to Verify

Check if Vulnerable:

Check Crafty Controller version against the vulnerable range specified in the GitLab issue.

Check Version:

Check Crafty Controller web interface or configuration files for version information

Verify Fix Applied:

Verify the Crafty Controller version matches or exceeds the patched version mentioned in the advisory.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns
Path traversal sequences in API requests
Unauthorized file modification attempts

Network Indicators:

Suspicious requests to File Operations API endpoint with path traversal payloads

SIEM Query:

source="crafty-controller" AND (uri="*../*" OR uri="*..\\*" OR method="POST" AND uri="*/api/file*")

📊 Metadata

CVE ID: CVE-2026-0963

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE: CWE-22

Published: January 30, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://gitlab.com/crafty-controller/crafty-4/-/issues/660

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0963, you might also want to check these: