CVE-2026-52884 in Notepad++
Summary
by MITRE • 06/27/2026
Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent) that matches paths starting with trusted directory strings. A path traversal using ..\..\ after a trusted directory prefix passes the check while resolving to an untrusted location. The CVE-2026-48800 patch adds isInTrustedDirectory() validation in Command::run() (RunDlg.cpp) before calling ShellExecute(). This function checks whether the resolved executable path is under a trusted directory. This vulnerability is fixed in 8.9.6.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
The vulnerability described in CVE-2026-48800 affects Notepad++ version 8.9.6.1, where the isInTrustedDirectory() function fails to properly canonicalize file paths before performing validation checks. This flaw exists within the application's security model for handling external command execution, specifically when processing shell commands through the Run dialog functionality. The implementation relies on a prefix-based matching approach using PathIsPrefix() or equivalent functions that simply check if a path begins with a trusted directory string without resolving symbolic links or normalizing the path structure.
The technical flaw stems from improper path canonicalization which allows attackers to bypass security restrictions through directory traversal techniques. When a malicious user provides a path containing sequences such as ..\..\. after a trusted directory prefix, the validation logic incorrectly accepts this input because it only examines the initial portion of the path without fully resolving the actual file system location. This creates a condition where a path that appears to be within a trusted directory actually resolves to a location outside of the intended security boundaries, effectively enabling arbitrary code execution or file access beyond the intended scope.
The operational impact of this vulnerability is significant as it undermines the application's security controls and could allow attackers to execute commands with elevated privileges or access restricted system resources. The vulnerability specifically affects the Command::run() function in RunDlg.cpp where ShellExecute() is called, making it possible for adversaries to bypass trusted directory restrictions and potentially gain unauthorized access to system components or sensitive data.
The fix implemented in version 8.9.6.2 addresses this issue by enhancing the isInTrustedDirectory() validation process within Command::run() before executing ShellExecute(). This patch ensures that the resolved executable path is properly verified against trusted directories, preventing path traversal attacks that could otherwise circumvent security checks through malformed or canonicalized path sequences.
This vulnerability type aligns with CWE-22 Path Traversal and CWE-73 Relative Path Traversal, representing a classic security flaw where insufficient input validation allows attackers to manipulate file system access controls. The issue can be mapped to ATT&CK technique T1059 Command and Scripting Interpreter where adversaries exploit applications to execute malicious commands through vulnerable path handling mechanisms. The patch demonstrates proper defensive programming practices by implementing comprehensive path resolution before trust verification, which aligns with security best practices for preventing path traversal attacks in file system operations.
The vulnerability highlights the critical importance of proper path canonicalization in security-sensitive applications and demonstrates how seemingly minor implementation flaws can create significant security risks. The fix ensures that all path validation occurs after full path resolution, preventing attackers from exploiting directory traversal techniques to bypass legitimate security controls. This represents a fundamental improvement in the application's defense-in-depth strategy for protecting against unauthorized file system access and command execution scenarios.