CVE-2026-58192 in Appiuminfo

Summary

by MITRE • 07/09/2026

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability in Appium's storage plugin represents a critical directory traversal flaw that undermines the security boundaries of the automation framework. This weakness exists in versions prior to 1.1.6 where the POST /storage/delete endpoint fails to properly sanitize user-supplied input parameters. The implementation directly passes the name parameter through path.join(storageRoot, name) without any validation or sanitization mechanisms, creating a path traversal condition that allows attackers to manipulate file system operations beyond intended boundaries.

The technical exploitation of this vulnerability occurs through the manipulation of the name parameter using ../ sequences to escape the designated storage root directory. When the application processes these malicious inputs, it constructs file paths that can traverse directories outside the intended storage area and passes them to fs.rimraf() function which performs recursive deletion operations. This creates a remote code execution vector where unauthenticated attackers can delete arbitrary files or directories that are writable by the Appium process, potentially leading to complete system compromise or data destruction.

From an operational perspective, this vulnerability poses significant risks to organizations using Appium for automated testing and application deployment. The unauthenticated nature of the exploit means that any remote client with network access to the Appium server can leverage this flaw without requiring valid credentials. The impact extends beyond simple file deletion as attackers could potentially target critical system files, configuration data, or even the Appium installation itself, leading to service disruption or complete system compromise. This vulnerability directly maps to CWE-22 - Improper Limitation of a Pathname to a Restricted Directory and aligns with ATT&CK technique T1059.007 - Command and Scripting Interpreter: Python, as exploitation could involve manipulating the file system through scripting operations.

Organizations should immediately implement mitigations including upgrading to Appium version 1.1.6 or later where this vulnerability has been patched. Additionally, network segmentation should be implemented to restrict access to Appium servers, and proper authentication mechanisms should be enforced even when using internal networks. The fix in version 1.1.6 likely includes input validation and path sanitization that prevents the traversal sequences from being processed, ensuring that all file operations remain within the designated storage root directory boundaries. Regular security audits of automation frameworks and continuous monitoring for similar vulnerabilities in third-party components should also be established to prevent future incidents of this nature.

Responsible

GitHub M

Reservation

06/29/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!