PatchSiren cyber security CVE debrief
CVE-2026-48049 hapijs CVE debrief
CVE-2026-48049 is a medium-severity vulnerability in @hapi/inert, a static file and directory handler for hapi.js. The vulnerability allows unauthenticated remote attackers to read files via a directory traversal attack. The issue arises from a flawed confinement check that compares the resolved absolute path against the confine directory using a raw string-prefix test. This allows an attacker to access files outside the intended directory by using a sibling directory and URL-encoded ../ characters. The vulnerability was fixed in version 7.1.1. Developers and administrators using @hapi/inert versions between 4.0.0 and 7.1.0 should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- hapijs
- Product
- inert
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Developers and administrators using @hapi/inert versions between 4.0.0 and 7.1.0 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and restricting file system access permissions, implementing additional monitoring and logging to detect potential attacks, and updating @hapi/inert to version 7.1.1 or later.
Technical summary
The vulnerability in @hapi/inert arises from a flawed confinement check that compares the resolved absolute path against the confine directory using a raw string-prefix test. This allows an attacker to access files outside the intended directory by using a sibling directory and URL-encoded ../ characters. The issue was fixed in version 7.1.1. Affected product deployments should be reviewed for exposure, and compensating controls should be implemented while remediation is scheduled and verified.
Defensive priority
Medium
Recommended defensive actions
- Update @hapi/inert to version 7.1.1 or later
- Review and restrict file system access permissions
- Implement additional monitoring and logging to detect potential attacks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-17T22:17:14.557Z and has not been modified since then. The NVD entry is currently 5.3 (Medium). Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for specific guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T22:17:14.557Z and has not been modified since then.