Directory Traversal Vulnerability in Zephyr's HTTP Server
CVE-2026-8023

7.5HIGH

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 29 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-8023?

The HTTP server in Zephyr is susceptible to a directory traversal vulnerability due to improper handling of URL paths. Attackers can exploit this vulnerability to read arbitrary files from the filesystem, as the server does not resolve directory traversal sequences in the URL. Before being patched, this issue allowed unauthenticated remote clients to access sensitive files, potentially leading to information disclosure. The vulnerability affects specific releases of Zephyr with static-filesystem resource capabilities. A fix has been implemented to sanitize URL paths, mitigating the risk of unauthorized file access.

Affected Version(s)

zephyr 4.0.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/f4a42...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-8023 Data

JSON