CVE-2026-28674 in xiaoheiFS
Summary
by MITRE • 03/18/2026
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-28674 affects xiaoheiFS, a self-hosted financial and operational system designed for cloud service providers. This critical security flaw exists in versions up to and including 0.3.15 where the AdminPaymentPluginUpload endpoint presents a severe authorization and validation weakness. The system implements a hardcoded password check using the weak credential 'qweasd123456' which provides minimal security protection against unauthorized access attempts. This endpoint permits administrators to upload arbitrary files to the plugins/payment/ directory without any content validation or integrity checks, creating an exploitable attack surface that directly violates fundamental security principles of input validation and access control.
The technical implementation of this vulnerability creates a dangerous execution chain that combines poor authorization with inadequate file validation mechanisms. The system's background watcher component named StartWatcher continuously monitors the plugins/payment/ directory every five seconds, automatically executing any newly detected executable files. This automated execution process represents a critical design flaw that transforms a simple file upload capability into a remote code execution vector. The lack of file type validation, content inspection, or proper sandboxing means that malicious actors can upload malicious executables that will be immediately executed with the privileges of the system running xiaoheiFS. This behavior directly maps to CWE-434 which describes insecure upload of executable code and aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution.
The operational impact of this vulnerability is severe and far-reaching for organizations using affected versions of xiaoheiFS. An attacker who gains administrative access or successfully exploits the weak password authentication can immediately execute arbitrary code on the target system, potentially leading to complete system compromise. The automated nature of the execution process means that the attack can be instantaneous with no user interaction required, making it particularly dangerous. The vulnerability affects financial and operational systems that likely contain sensitive data, making it attractive to threat actors seeking to establish persistent access, exfiltrate data, or disrupt business operations. Organizations using these vulnerable versions face significant risk of data breaches, system takeover, and potential regulatory violations due to the exposure of critical infrastructure components.
The remediation for this vulnerability requires immediate upgrade to version 4.0.0 which properly addresses the issue through comprehensive security improvements. The fix should implement robust authentication mechanisms replacing the hardcoded password with strong multi-factor authentication, enforce strict file validation and content inspection before allowing uploads, and remove the automatic execution of files from the plugin directory. Organizations should also implement network segmentation and monitoring to detect unauthorized access attempts and file upload activities. Additional mitigations include disabling unnecessary administrative functions, implementing proper file access controls, and conducting regular security assessments to identify similar vulnerabilities in the system architecture. The solution should follow security best practices outlined in NIST SP 800-53 and ISO/IEC 27001 standards for secure software development and system administration practices.