CVE-2026-54134

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

OctoPrint has possible file exfiltration via query parameters on upload endpoints

Impact

OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability was already reported as GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 but the fix provided in OctoPrint 1.11.2 turned out to be incomplete.

The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host after an attempted server restart. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases.

Patches

The vulnerability has been patched in version 1.11.8 and 2.0.0rc3.

Details

OctoPrint's web application is implemented in Flask, but uploads are first intercepted by a custom upload handler built on Tornado that sits in front of it. The handler streams the upload to a temporary file on disk - so files larger than the available memory can be uploaded - and rewrites the request, adding internal form fields that tell Flask where to find that temporary file.

These fields are reserved and meant to be set only by the upload handler, never by the client. The previous fix from GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 stripped them from the request received from the client when they were sent as multipart form fields, yet they could still reach Flask through other channels: as plain query parameters, or - since the Tornado handler and Flask did not parse requests identically - smuggled in via several "parser differentials" that looked harmless to the handler while Flask still saw the injected fields. Any of these let an attacker make OctoPrint treat an arbitrary file on the host as a freshly uploaded one and move it into the upload folder.

The following endpoints in OctoPrint are affected:

  • /api/files/{local|sdcard}
  • /api/languages
  • /plugin/backup/restore
  • /plugin/pluginmanager/upload_file

Further upload endpoints in third party plugins might be affected too.

The fix rejects requests carrying any of the reserved fields, aligns the Tornado handler's request parsing with Flask's (Werkzeug) to avoid any differential parsing, and re-validates the request rewritten by Tornado before forwarding it to Flask.

Credits

This vulnerability was discovered and responsibly disclosed to OctoPrint by Koh Jun Sheng and Jacopo Tediosi.

Timeline

2026-06-04: Report received 2026-06-04: Report acknowledged 2026-06-08: Report verified 2026-06-17: Fix ready for 1.11.x 2026-06-22: Fix ported to 2.0.0 2026-06-23: Fix released with 1.11.8 and 2.0.0rc3

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

June 23, 2026

Last Modified

June 23, 2026

Vendor Advisories for CVE-2026-54134(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-23 18:21 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-54134?
CVE-2026-54134 is a high vulnerability published on June 23, 2026. OctoPrint has possible file exfiltration via query parameters on upload endpoints Impact OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint…
When was CVE-2026-54134 disclosed?
CVE-2026-54134 was first published in the National Vulnerability Database on June 23, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-54134?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-54134, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-54134

Explore →

Is Your Infrastructure Affected by CVE-2026-54134?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.