CVE-2026-48099

WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.

The issue is fixed with version 4.3.4.

The practical impact depends on the deployment.

The deployment uses a filesystem-backed WsgiDAV share.

The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.

The issue is in FilesystemProvider. loc to file path(). The method builds a candidate path with os.path.abspath(os.path.join(root path, *path parts)), then checks containment with file path.startswith(root path). This is not path-boundary aware. For example, if the configured share root is /tmp/share, a resolved sibling path such as /tmp/share evil/secret.txt still starts with the string /tmp/share.

In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.

The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH INFO. The local proof used /%2e%2e/..., which wsgiref passed through as /../....

A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as /tmp/share and /tmp/share evil.

The WsgiDAV process has OS permissions for the outside path.