CVE-2026-21857
📋 TL;DR
This vulnerability allows authenticated REDAXO users with backup permissions to read arbitrary files within the webroot via path traversal in the Backup addon. Attackers can manipulate the EXPDIR parameter to include any readable file in generated archives. Only affects REDAXO installations with the Backup addon enabled and users with backup permissions.
💻 Affected Systems
- REDAXO CMS
📦 What is this software?
Redaxo by Redaxo
⚠️ Risk & Real-World Impact
Worst Case
Sensitive configuration files, database credentials, or source code could be exfiltrated, potentially leading to full system compromise.
Likely Case
Attackers with backup permissions can read sensitive files within the webroot, potentially exposing configuration data or other sensitive information.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users who already have backup permissions.
🎯 Exploit Status
Exploitation requires authenticated access with backup permissions. Path traversal techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.20.2
Vendor Advisory: https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv
Restart Required: No
Instructions:
1. Backup your REDAXO installation and database. 2. Download REDAXO 5.20.2 or newer from the official repository. 3. Replace the existing installation with the updated version. 4. Verify the Backup addon is updated to the latest version.
🔧 Temporary Workarounds
Disable Backup Addon
allTemporarily disable the Backup addon until patching is possible.
Navigate to REDAXO backend > Addons > Backup > Deactivate
Restrict Backup Permissions
allLimit backup permissions to only essential administrators.
Navigate to REDAXO backend > Users & Permissions > Adjust user roles
🧯 If You Can't Patch
- Implement strict access controls to limit backup permissions to trusted administrators only.
- Monitor web server logs for suspicious file access patterns and path traversal attempts.
🔍 How to Verify
Check if Vulnerable:
Check if REDAXO version is below 5.20.2 and Backup addon is enabled.Check Version:
Check REDAXO backend dashboard or view /redaxo/src/core/version.phpVerify Fix Applied:
Verify REDAXO version is 5.20.2 or newer and test that path traversal attempts in Backup addon are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in backup operations
- Path traversal sequences (../) in POST parameters
Network Indicators:
- Large backup file downloads from non-admin users
- Multiple backup requests in short timeframes
SIEM Query:
web_access_logs WHERE (url_path CONTAINS '/redaxo/index.php?page=backup' AND post_data CONTAINS '../')