CVE-2026-41951

GROWI, Inc. · GROWI

A path traversal vulnerability in GROWI v7 allows an authenticated administrator to access unauthorized files on the underlying system.

Executive summary

A path traversal vulnerability in GROWI v7.5.0 and earlier poses a significant risk of unauthorized file access by authenticated users.

Vulnerability

This vulnerability is a path traversal flaw (CWE-22) residing in the application's file handling logic. It requires an attacker to have high-level administrative privileges (PR:H) to successfully manipulate path parameters and access restricted directories.

Business impact

Successful exploitation allows an authenticated administrator to read sensitive files from the server, potentially leading to information disclosure or further system compromise. While the CVSS score of 7.2 reflects a high severity due to the potential for total technical impact, the requirement for administrative authentication mitigates the immediate risk to external, unauthenticated attackers.

Remediation

Immediate Action: Update the GROWI installation to the latest version provided by the vendor to patch the path traversal flaw.

Proactive Monitoring: Review administrative access logs for unusual file system access patterns or attempts to traverse outside of expected directories.

Compensating Controls: Ensure the application service account is running with the principle of least privilege to restrict the scope of accessible files if a compromise occurs.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Organizations utilizing GROWI should prioritize upgrading to the latest patched version to remediate this path traversal vulnerability. Although administrative privileges are required, the potential for sensitive data exposure warrants immediate patching to maintain system integrity.