CVE-2026-55477 in 3x-ui
Summary
by MITRE • 06/25/2026
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The 3X-UI web control panel represents a critical security vulnerability that affects systems managing Xray-core servers through its database import functionality. This flaw exists in versions prior to 3.3.1 and creates a severe privilege escalation pathway for authenticated administrators who can manipulate the underlying database structure. The vulnerability stems from inadequate input validation and sanitization within the configuration import process, allowing maliciously crafted data to bypass normal security controls and write arbitrary files to the host system.
The technical implementation of this vulnerability involves the manipulation of Xray configuration values stored in the database during the import operation. When administrators use the import functionality, the system does not properly validate or sanitize the incoming configuration parameters before storing them in the database. This oversight enables attackers to inject malicious file paths or content that gets written to the filesystem when Xray processes these configurations. The flaw operates at the intersection of improper input validation and insecure data handling practices, creating a direct path for arbitrary file write operations.
The operational impact of this vulnerability extends far beyond simple privilege escalation, as it can lead to complete system compromise when Xray is running with elevated privileges. An attacker who gains access to an administrator account can leverage this vulnerability to place malicious files in critical system directories, potentially achieving code execution and persistent access as the user context under which Xray operates. When Xray runs as root, this vulnerability becomes particularly dangerous as it enables full system compromise through a single authenticated attack vector. The persistence aspect of this vulnerability allows attackers to maintain access even after system restarts or service interruptions.
Security professionals should note this vulnerability aligns with CWE-22 (Improper Limiting of a Pathname to a Known Good Path) and CWE-73 (Restriction of Operations within a Single Cross-Site Scripting Context), as it involves path traversal and improper input validation. The attack pattern follows ATT&CK technique T1059 (Command and Scripting Interpreter) and T1078 (Valid Accounts) where an attacker uses legitimate administrative credentials to achieve unauthorized system access. Organizations should immediately implement mitigation strategies including upgrading to version 3.3.1 or later, implementing network segmentation for the 3X-UI interface, and applying strict access controls to prevent unauthorized administrative access to the system.
The fix implemented in version 3.3.1 addresses this vulnerability through enhanced input validation and proper sanitization of database import operations. The update ensures that configuration values are properly validated before being stored in the database, preventing malicious file paths from being written to the filesystem. Additionally, the patch likely introduces stricter access controls around database operations and implements more robust error handling during import processes. Organizations should verify their systems are updated and conduct thorough security assessments to ensure no exploitation has occurred prior to implementing these updates.