Critical Casdoor Vulnerability CVE-2026-44213 Allows Arbitrary File Overwrites

In the complex world of Identity and Access Management (IAM), the security of the gateway is paramount. Security researcher disclosures a critical arbitrary file write vulnerability in Casdoor, a popular open-source IAM platform and Model Context Protocol (MCP) gateway.

The flaw, tracked as CVE-2026-44213, reveals a significant weakness in Casdoor’s “Local File System” storage provider, potentially allowing attackers to leap from application-level access to a total host compromise.

Casdoor provides authentication and single sign-on services, internally utilizing a dedicated storage directory ($CASDOOR/files/) to manage user-uploaded resources. However, researchers found that the application fails to properly sanitize user-supplied paths during the upload process.

The vulnerability is triggered during interactions with the /api/upload-resource endpoint. The application determines the final storage destination by concatenating two user-supplied parameters: pathPrefix and fullFilePath.

According to the CERT/CC vulnerability note, “Values provided for pathPrefix are not properly sanitized, so directory traversal sequences such as ../../ are accepted without any integrity or permission checks beyond those of the OS user running the Casdoor process.”

Because the application does not verify that the resulting destination remains within the intended storage sandbox, “an authenticated attacker with file upload privileges can perform a path traversal attack to create or overwrite arbitrary files elsewhere on the host filesystem”.

The ability to write arbitrary files with the privileges of the Casdoor runtime user gives an attacker a powerful toolkit for destruction and persistence.

Attackers can bypass the application’s intended sandbox to “establish persistence by creating scheduled tasks or cron jobs through the filesystem as the Casdoor user”.

A malicious actor could “overwrite Casdoor’s backend database file casdoor.db, causing authentication services to fail and locking out all users and dependent applications”.

Depending on how much authority the Casdoor service account holds, “this vulnerability may allow escalation from application-level access to full host compromise”.

Exploiting this flaw requires an attacker to already possess an authenticated session with permissions to manage storage providers. However, in multi-user or exposed environments, this represents a significant risk.

A pull request has already been submitted to the Casdoor repository to implement rigorous validation of storage paths. In the meantime, administrators are advised to take the following precautions:

• Restrict Permissions: Limit the filesystem permissions of the Casdoor service account to the absolute minimum required for operation.
• Audit Access: Strictly limit administrative access to trusted individuals.
• Disable Local Storage: If possible, “Administrators should avoid using the Local File System provider or disable this service in multi-user or exposed environments”.