CVE-2026-41951
GROWI, Inc. · GROWI
A path traversal vulnerability in GROWI v7 allows an authenticated administrator to access unauthorized files on the underlying system.
Executive summary
A path traversal vulnerability in GROWI v7.5.0 and earlier poses a significant risk of unauthorized file access by authenticated users.
Vulnerability
This vulnerability is a path traversal flaw (CWE-22) residing in the application's file handling logic. It requires an attacker to have high-level administrative privileges (PR:H) to successfully manipulate path parameters and access restricted directories.
Business impact
Successful exploitation allows an authenticated administrator to read sensitive files from the server, potentially leading to information disclosure or further system compromise. While the CVSS score of 7.2 reflects a high severity due to the potential for total technical impact, the requirement for administrative authentication mitigates the immediate risk to external, unauthenticated attackers.
Remediation
Immediate Action: Update the GROWI installation to the latest version provided by the vendor to patch the path traversal flaw.
Proactive Monitoring: Review administrative access logs for unusual file system access patterns or attempts to traverse outside of expected directories.
Compensating Controls: Ensure the application service account is running with the principle of least privilege to restrict the scope of accessible files if a compromise occurs.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations utilizing GROWI should prioritize upgrading to the latest patched version to remediate this path traversal vulnerability. Although administrative privileges are required, the potential for sensitive data exposure warrants immediate patching to maintain system integrity.