CVE-2026-40400 in Windows
Summary
by MITRE • 07/14/2026
Relative path traversal in Windows PowerShell allows an authorized attacker to execute code over a network.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability represents a critical security flaw in Windows PowerShell that enables authenticated attackers to perform relative path traversal attacks leading to remote code execution. The issue stems from insufficient input validation and path resolution mechanisms within the PowerShell runtime environment, allowing malicious actors with valid credentials to manipulate file paths and access unauthorized system resources. When PowerShell processes commands containing relative path references, it fails to properly sanitize or validate these paths against the intended execution context, creating opportunities for attackers to navigate outside of designated directories and execute arbitrary code on target systems.
The technical implementation of this vulnerability involves PowerShell's handling of file resolution and command execution pathways where relative path components such as ..\ or .\ are not adequately restricted or normalized before being processed. This flaw operates at the application layer and can be exploited through various attack vectors including malicious script files, command-line inputs, or crafted network requests that leverage the trust relationship between authenticated users and the PowerShell environment. The vulnerability is particularly dangerous because it leverages legitimate authentication mechanisms while exploiting inherent weaknesses in path resolution logic.
From an operational impact perspective, this vulnerability enables attackers to escalate privileges and gain unauthorized access to sensitive system resources, potentially leading to full system compromise. The attack can be executed remotely over network connections, making it particularly concerning for enterprise environments where PowerShell is commonly used for administrative tasks and automation processes. Attackers can leverage this weakness to execute malicious payloads, establish persistence mechanisms, or move laterally within networks by accessing files and directories that should remain protected. The vulnerability affects systems where PowerShell is installed and actively used for command execution or script processing.
Mitigation strategies should focus on implementing robust input validation and path sanitization measures within PowerShell environments, including mandatory use of absolute paths for file operations and proper normalization of relative paths before execution. Organizations should enforce strict access controls and limit PowerShell usage to authorized personnel only through proper authentication and authorization mechanisms. System administrators must regularly update PowerShell components and implement network monitoring solutions to detect suspicious path traversal attempts. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and can be mapped to ATT&CK techniques such as T1059.001 (PowerShell) and T1068 (Exploitation for Privilege Escalation). Additional protective measures include implementing application whitelisting policies, configuring proper file system permissions, and conducting regular security assessments to identify and remediate similar path traversal vulnerabilities across the enterprise infrastructure.