Redaxo Backup Path Traversal: Archiving the Crown Jewels
Jan 5, 2026·5 min read·10 visits
Executive Summary (TL;DR)
The Redaxo Backup Addon blindly trusted user input defining which directories to zip. Authenticated attackers can use directory traversal (`../`) in the `EXPDIR` parameter to force the server to archive and download sensitive files like `config.yml` (containing DB passwords) instead of the intended backup folders.
A critical Path Traversal vulnerability in the Redaxo CMS Backup Addon allows authenticated users to manipulate export parameters, enabling the extraction of sensitive system configuration files and database credentials.
Official Patches
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Redaxo CMS Redaxo | <= 5.20.1 | 5.20.2 |
Backup Addon Redaxo | <= 2.9.3 | 2.9.4 |
| Attribute | Detail |
|---|---|
| CWE | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) |
| CVSS v3.1 | 8.8 (High) |
| Attack Vector | Network |
| Privileges | Low (Backup Permission) |
| Impact | Confidentiality, Integrity, Availability |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.