CVE-2026-28679
📋 TL;DR
CVE-2026-28679 is a path traversal vulnerability in Home-Gallery.org that allows attackers to download sensitive system files outside the intended media directory. This affects all users running versions before 1.21.0 of this self-hosted web gallery software. Attackers can exploit this without authentication to access files they shouldn't be able to reach.
💻 Affected Systems
- Home-Gallery.org
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through downloading of configuration files, SSH keys, password files, or other sensitive data leading to privilege escalation and lateral movement.
Likely Case
Exfiltration of sensitive personal files, application configuration data, or system information that could enable further attacks.
If Mitigated
Limited impact if proper network segmentation and file system permissions are in place, though sensitive data exposure is still possible.
🎯 Exploit Status
The vulnerability is simple to exploit by manipulating file paths in download requests. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.21.0
Vendor Advisory: https://github.com/xemle/home-gallery/security/advisories/GHSA-xj65-hcj5-h6j3
Restart Required: Yes
Instructions:
1. Backup your gallery data and configuration. 2. Stop the Home-Gallery service. 3. Update to version 1.21.0 using your package manager or by downloading from GitHub releases. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Download Functionality
allTemporarily disable file downloads in the gallery configuration to prevent exploitation while planning the upgrade.
Edit configuration to set download: false or remove download endpoints
File System Restrictions
linuxUse operating system permissions to restrict the gallery process from accessing files outside the media directory.
chroot jail setup or AppArmor/SELinux policies
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the gallery service
- Deploy a web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your version is below 1.21.0 and test by attempting to download a file with ../ sequences in the path parameter.Check Version:
Check package.json or run the gallery with --version flagVerify Fix Applied:
After updating to 1.21.0, test that path traversal attempts (e.g., requests for ../../../etc/passwd) are blocked and return appropriate errors.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in download requests
- Failed download attempts with ../ sequences
- Requests for known sensitive files
Network Indicators:
- HTTP requests with path traversal patterns in URL parameters
- Unusual download patterns from single IPs
SIEM Query:
web.url:*../* AND (web.status:200 OR web.status:403) AND dest.app:"home-gallery"