Path traversal in FreeRDP - #VU137831

 

Path traversal in FreeRDP - #VU137831

Published: July 16, 2026


Vulnerability identifier: #VU137831
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: FreeRDP
Affected software:
FreeRDP

Detailed vulnerability description

The vulnerability allows a remote attacker to access, modify, delete, or enumerate files outside the configured shared root.

The vulnerability exists due to path traversal in drive redirection path handling in drive_file_combine_fullpath() when processing a server-supplied non-rooted RDPDR path. A remote attacker can send a specially crafted RDPDR path to access, modify, delete, or enumerate files outside the configured shared root.

Drive redirection must be enabled, and user interaction is required because the client must connect to a malicious or compromised RDP server and share a local drive or path. The demonstrated scope is limited to prefix-sibling paths that share the configured root as a string prefix rather than arbitrary whole-filesystem access.


Remediation

Install security update from vendor's website.

Sources