Path traversal in FreeRDP - #VU137831
Published: July 16, 2026
FreeRDP
Detailed vulnerability description
The vulnerability allows a remote attacker to access, modify, delete, or enumerate files outside the configured shared root.
The vulnerability exists due to path traversal in drive redirection path handling in drive_file_combine_fullpath() when processing a server-supplied non-rooted RDPDR path. A remote attacker can send a specially crafted RDPDR path to access, modify, delete, or enumerate files outside the configured shared root.
Drive redirection must be enabled, and user interaction is required because the client must connect to a malicious or compromised RDP server and share a local drive or path. The demonstrated scope is limited to prefix-sibling paths that share the configured root as a string prefix rather than arbitrary whole-filesystem access.