CVE-2026-2331

Name of the Vulnerable Software and Affected Versions AppEngine (affected versions not specified)

Description An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment. The AppEngine Fileaccess feature is vulnerable. The vulnerable component allows access to sensitive files over HTTP without authentication. The customer-defined passwords can be modified by an attacker.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.