Vulnerability Description
Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths (e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character. Version 0.89.3 contains a patch.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Salvo | Salvo | >= 0.39.0, < 0.89.3 |
Related Weaknesses (CWE)
References
- https://github.com/salvo-rs/salvo/commit/7bac30e6960355c58e358e402072d4a3e5c4e1bPatch
- https://github.com/salvo-rs/salvo/releases/tag/v0.89.3ProductRelease Notes
- https://github.com/salvo-rs/salvo/security/advisories/GHSA-f842-phm9-p4v4ExploitMitigationVendor Advisory
- https://github.com/salvo-rs/salvo/security/advisories/GHSA-f842-phm9-p4v4ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-33242?
CVE-2026-33242 is a vulnerability with a CVSS score of 7.5 (HIGH). Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated ex...
How severe is CVE-2026-33242?
CVE-2026-33242 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33242?
Check the references section above for vendor advisories and patch information. Affected products include: Salvo Salvo.