Vulnerability in BACnet Stack's File Writing Functionality Exposes Applications to Directory Traversal Attacks
CVE-2026-21878

7.5HIGH

Key Information:

Vendor: Bacnet-stack
Status: Bacnet-stack
Vendor: CVE Published:; 13 February 2026

🔔 Create Bacnet-stack Vulnerability Alert

What is CVE-2026-21878?

A significant vulnerability has been identified in the BACnet Stack, an open-source protocol library utilized in embedded systems. The flaw resides within the file writing functionality, specifically in the handling of user-provided file paths, which lacks proper validation. This deficiency enables malicious actors to execute directory traversal attacks, potentially allowing them to write files to arbitrary locations within the system. This vulnerability impacts files located in apps/readfile/main.c and ports/posix/bacfile-posix.c. A fix addressing this issue has been implemented in version 1.5.0.rc3.

Affected Version(s)

bacnet-stack < 1.5.0.rc3

References

https://github.com/bacnet-stack/bacnet-stack/security/adv...

x_refsource_CONFIRM

https://github.com/bacnet-stack/bacnet-stack/commit/c5dc0...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2026
Vulnerability Reserved
Jan 5, 2026

CVE-2026-21878 Data

JSON