PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8023 zephyrproject CVE debrief

CVE-2026-8023 is a high-severity vulnerability in Zephyr's HTTP server that allows unauthenticated remote clients to read arbitrary files on the mounted volume. The vulnerability exists in the static-filesystem resource type, which serves files from a configured root directory. An attacker can exploit this vulnerability by sending a specially crafted request that traverses the directory structure, allowing access to files outside the intended web root. This issue affects deployments that register a static-filesystem resource. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal.

Vendor
zephyrproject
Product
zephyr
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-29
Original CVE updated
2026-07-17
Advisory published
2026-06-29
Advisory updated
2026-07-17

Who should care

Organizations using Zephyr's HTTP server with static-filesystem resources, particularly those with untrusted networks or sensitive data, should prioritize patching this vulnerability. Operators of affected systems, platform administrators, vulnerability management teams, and security teams should be aware of the potential impact and take necessary actions to mitigate the risk.

Technical summary

The vulnerability exists in the static-filesystem resource type of Zephyr's HTTP server. The HTTP/1 and HTTP/2 front-ends place the raw, attacker-controlled request path into client->url_buffer without resolving ./.. segments. The static-FS handler then builds the on-disk filename by directly concatenating the configured root with that raw URL and opens it with fs_open(). This allows an unauthenticated remote client to read arbitrary readable files on the mounted volume. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal.

Defensive priority

High

Recommended defensive actions

  • Apply the patch from Zephyrproject
  • Review and update HTTP server configurations
  • Monitor for suspicious activity
  • Implement additional security measures such as authentication and authorization
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-29T23:16:43.777Z and was last modified on 2026-07-17T16:17:19.503Z. The NVD entry is currently Modified. This information is based on the supplied source corpus. Defenders should verify the accuracy of this information within the limits of publicly available data.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-29T23:16:43.777Z and has not been modified since then. The NVD entry is currently Modified.