CVE-2026-8023 – Path traversal in Zephyr HTTP server static-filesystem resource handler allows unauthenticated remote arbitrary file read

CVE ID :CVE-2026-8023

Published : June 29, 2026, 10:15 p.m. | 1 hour, 30 minutes ago

Description :Zephyr’s HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client-url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, …, “%s%s”, static_fs_detail-fs_path, client-url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /
Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…