CVE-2026-33528

Name of the Vulnerable Software and Affected Versions GoDoxy versions prior to 0.27.5

Description GoDoxy, a reverse proxy and container orchestrator, contains a path traversal flaw in the file content API endpoint at /api/v1/file/content. The filename query parameter is directly used in constructing a file path without proper sanitization or validation, beyond a check for non-empty input. This allows an authenticated attacker to use ../ sequences to access files outside the intended config/ directory, potentially including sensitive data like TLS private keys and OAuth refresh tokens. The filename parameter is passed to the path.Join() function with common.ConfigBasePath set to "config", creating a relative path. The vulnerability exists in the internal/api/v1/file/get.go file, specifically within the GetPath() function. The vulnerability affects both reading and writing files via the /api/v1/file/content endpoint.

Recommendations Versions prior to 0.27.5 should be updated to version 0.27.5 or later. Implement validation to ensure the resolved file path remains within the expected base directory.