CVE-2026-33242: Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass

March 19, 2026

If attackers take advantage of this problem, they can get past API Gateway security checks and route limits without logging in. This could accidentally make internal services, admin pages, or folders visible.

The attack works because the special path is sent as-is to the backend, which often happens in systems that follow standard web address rules. Attackers might also use different ways of writing URLs or add extra parts to the web address to get past simple security checks that only look for exact ../ patterns.

References

github.com/advisories/GHSA-f842-phm9-p4v4
github.com/salvo-rs/salvo
github.com/salvo-rs/salvo/commit/7bac30e6960355c58e358e402072d4a3e5c4e1bb
github.com/salvo-rs/salvo/security/advisories/GHSA-f842-phm9-p4v4
nvd.nist.gov/vuln/detail/CVE-2026-33242

Code Behaviors & Features

Detect and mitigate CVE-2026-33242 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →