HIGH 7.5

CVE-2026-10073: DreamMaker Arbitrary File Read via Relative Path Traversal

DreamMaker, a product by Interinfo, contains a flaw that allows attackers to read arbitrary files from the system without authentication. An attacker can exploit a relative path traversal weakness to access sensitive system files they shouldn't be able to reach. This is a network-accessible vulnerability, meaning an attacker doesn't need physical access or prior system credentials to attempt exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-23
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10073 is an Arbitrary File Read vulnerability in DreamMaker stemming from improper handling of relative file paths (CWE-23). The vulnerability allows unauthenticated, network-based attackers to traverse directory structures and download files outside their intended access scope. The CVSS 3.1 score of 7.5 (HIGH) reflects a network attack vector with low complexity, no privilege requirement, and no user interaction needed. Impact is confined to confidentiality; integrity and availability are not affected.

Business impact

Exploitation of this vulnerability could expose sensitive system files, configuration data, credentials, or intellectual property stored on affected systems. Organizations using DreamMaker face data exfiltration risk without the need for an attacker to authenticate or compromise user accounts first. The lack of privilege requirements and ease of exploitation increase the likelihood of opportunistic attacks targeting exposed instances.

Affected systems

DreamMaker as developed by Interinfo is affected. Verify your deployment version against vendor advisories to confirm impact scope. No specific affected product versions are listed in the current advisory; contact Interinfo or consult their security documentation for version-specific guidance.

Exploitability

This vulnerability is highly exploitable. It requires no authentication, no special user interaction, and presents low attack complexity, meaning a standard HTTP request or simple script can trigger the path traversal. The network-accessible attack vector means any system with network exposure to DreamMaker is at immediate risk. The flaw is straightforward to weaponize once the path traversal mechanism is understood.

Remediation

Patch DreamMaker to a version that properly validates and sanitizes file path inputs, removing the relative path traversal vulnerability. Coordinate patching with your DreamMaker deployment documentation and Interinfo's official advisory. Until patches are available, restrict network access to DreamMaker instances using firewall rules and network segmentation to trusted networks only.

Patch guidance

Monitor Interinfo's official security advisories and update channels for available patches. Apply patches promptly following your change management process. Verify patch effectiveness by retesting path traversal attempts in a non-production environment. Document patch versions applied and maintain an inventory of DreamMaker instances to ensure comprehensive coverage.

Detection guidance

Monitor DreamMaker access logs for patterns suggesting path traversal attempts, such as requests containing '../' sequences or unusual file paths in request parameters. Network intrusion detection systems can flag HTTP requests with traversal patterns. Log file access events and flag reads of sensitive system files from DreamMaker processes. Baseline normal access patterns and alert on deviations.

Why prioritize this

Although CVE-2026-10073 is not on the CISA KEV list, its HIGH CVSS score, combined with unauthenticated network exploitability and low attack complexity, warrants prompt attention. Any organization running Internet-exposed DreamMaker instances should prioritize patching before external threat actors identify and exploit exposed systems.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects the combination of network accessibility, complete confidentiality impact, no required authentication or user interaction, and low attack complexity. The absence of integrity or availability impact prevents a CRITICAL score. Organizations should treat this as a high-priority security issue despite not yet appearing on the KEV catalog.

Frequently asked questions

What files can an attacker read using this vulnerability?

An attacker can read any file accessible by the DreamMaker process on the system. This may include configuration files, system files, application data, and potentially credentials or keys—depending on DreamMaker's process permissions and file system layout.

Do I need to be authenticated to exploit this vulnerability?

No. This is an unauthenticated vulnerability, meaning attackers can exploit it without valid credentials or prior access to a user account.

Is DreamMaker currently on the CISA Known Exploited Vulnerabilities list?

No. CVE-2026-10073 is not currently listed on the KEV catalog, but its technical characteristics make it inherently exploitable and a priority for defenders.

How quickly should I patch this?

Given the HIGH severity and ease of exploitation, prioritize patching within your standard urgent security update timelines—ideally within days rather than weeks. In the interim, implement network access controls to limit exposure.

This analysis is based on the CVE-2026-10073 advisory published 2026-05-29 and modified 2026-06-17. Specific product versions, patch availability, and vendor-specific details should be verified directly with Interinfo's official security documentation and advisories. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance; organizations should conduct their own risk assessment and testing. Exploit code, proof-of-concept details, and weaponization methods are intentionally omitted from this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).