CVE-2026-22786: Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal

Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory.

Path traversal vulnerabilities occur when a web application accepts user-supplied file paths without proper validation, allowing attackers to access or write files outside the intended directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../).

Notably, while the related makeFileContent function in the same file properly validates the fileName parameter by checking for .. sequences, the MakeFile function lacks this security control, indicating an inconsistent security implementation.

An attacker with file upload privileges (role ID 888 - super administrator) could exploit this vulnerability by:

First uploading file chunks through the /fileUploadAndDownload/breakpointContinue endpoint (which has proper validation)

Then calling the /fileUploadAndDownload/breakpointContinueFinish endpoint with a malicious fileName parameter containing path traversal sequences (e.g., ../../../tmp/malicious.txt)

This could lead to: Arbitrary file creation, application process, Configuration file overwriting, Potential Remote Code Execution……