HIGH 7.5

CVE-2026-32847: DeepCode Path Traversal Allows Unauthenticated Arbitrary File Read

DeepCode contains a path traversal vulnerability that allows anyone on the internet to read sensitive files from the server without needing to authenticate or provide credentials. An attacker can craft specially-encoded URLs that trick the application into serving files it shouldn't, such as SSH keys, TLS certificates, and application secrets. The vulnerability exists in how the application handles file paths in its web interface, and the encoding bypass makes it straightforward to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in new_ui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /{full_path:path} endpoint. Attackers can bypass Starlette's path normalization by encoding slashes as %2F and dots as %2E%2E, causing the joined path to traverse outside FRONTEND_DIST and exposing sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the SPA catch-all route handler at new_ui/backend/main.py, which maps GET requests to /{full_path:path} to serve frontend files. The application fails to properly validate and normalize user-supplied path segments before joining them to the FRONTEND_DIST directory. By percent-encoding path traversal sequences—encoding forward slashes as %2F and dot-dot sequences as %2E%2E—attackers bypass Starlette's built-in path normalization. This allows directory traversal outside the intended frontend distribution directory, exposing arbitrary files readable by the application process. The vulnerability is unauthenticated and requires no user interaction, triggered by a single malformed GET request.

Business impact

Successful exploitation exposes confidential credentials and cryptographic material, creating immediate risk of lateral movement, system compromise, and potential supply-chain impact if the application manages sensitive development or deployment infrastructure. SSH private keys and TLS certificates are particularly valuable for escalating access or intercepting communications. Organizations using DeepCode for code analysis or security scanning may store secrets, API tokens, or customer data accessible to the application, amplifying exposure. The ease of exploitation and lack of authentication requirements mean threat actors will discover and weaponize this rapidly.

Affected systems

DeepCode through commit c991dc2 is affected. Verify your installed version against the repository history. If your deployment includes commits up to and including c991dc2, the system is vulnerable. Determine whether your instance exposes the affected endpoint to untrusted networks.

Exploitability

Exploitability is very high. The attack requires only network access and HTTP client capabilities; no authentication, special configuration, or user interaction is necessary. The percent-encoding bypass is reliable and not dependent on timing or race conditions. Automated scanning and exploitation tools can trivially enumerate and extract files. Given the straightforward nature of the attack vector and the high-value nature of exposed files, assume active exploitation is already occurring or will commence immediately upon disclosure.

Remediation

Upgrade DeepCode beyond commit c991dc2. When upgrading, verify the patched version implements proper path canonicalization before any file operations and rejects or sanitizes percent-encoded traversal sequences. Apply the patch in a controlled manner, test in a staging environment first, and restart the application. As a temporary workaround if an immediate patch is unavailable, restrict network access to the DeepCode service to trusted hosts only via firewall or reverse proxy rules, and monitor for suspicious file access patterns.

Patch guidance

Check the DeepCode repository and vendor advisories for the next available release or commit that addresses this path traversal. Review patch release notes to confirm the fix validates and normalizes paths correctly. Deploy the patch to all production and development instances. After patching, verify the fix by attempting a benign path traversal test (e.g., requesting a file outside FRONTEND_DIST) and confirming the request is rejected or the file is not served.

Detection guidance

Monitor HTTP access logs for GET requests to the /{full_path:path} endpoint containing percent-encoded characters, particularly %2F, %2E sequences, or repeated %2E%2E patterns. Alert on requests attempting to access files outside the expected frontend directory structure (e.g., paths containing ../ or encoded equivalents targeting /etc, /home, .ssh, or .git directories). Examine filesystem access logs for unexpected reads of sensitive files (private keys, certificates, configuration files) by the application process. Correlate HTTP and filesystem logs to identify successful exploitation attempts.

Why prioritize this

A CVSS 7.5 HIGH severity score reflects the unauthenticated network-accessible confidentiality impact. Prioritize this immediately because sensitive credentials are directly exposed with minimal attacker effort, the vulnerability is trivial to exploit at scale, and no KEV or ransomware designation should lower your guard—active exploitation is likely. Deploy patches within hours, not days.

Risk score, explained

The score reflects AV:N (network-accessible), AC:L (no complexity), PR:N (no authentication), UI:N (no user interaction), resulting in HIGH severity. The impact is limited to confidentiality (C:H), not integrity or availability, which prevents a CRITICAL rating. However, the exposure of cryptographic keys and secrets substantially elevates the practical risk beyond the base score.

Frequently asked questions

Can this vulnerability be exploited without network access?

No. The vulnerability requires HTTP network access to the /{full_path:path} endpoint. However, if the application is exposed to the internet or reachable from untrusted networks, exploitation is trivial.

What files are most at risk?

SSH private keys, TLS/SSL certificates, configuration files containing database credentials or API keys, environment variable files (.env), and source code repositories (.git directories) are highest-value targets. Any file readable by the application process is at risk.

Does authentication protect against this vulnerability?

No. The vulnerability is explicitly unauthenticated. Even if your DeepCode instance requires login for other features, this file-serving endpoint does not check authentication before processing the request.

If I restrict network access to DeepCode, am I safe?

Restricting network access via firewall or VPN mitigates the vulnerability for external attackers, but insiders or compromised internal systems can still exploit it. Patching remains mandatory.

This analysis is based on the public CVE record and vendor information available as of the publication date. Verify all patch versions, affected commits, and remediation steps against the official DeepCode repository and security advisories before deploying changes. SEC.co does not assume liability for inaccuracies in third-party vendor disclosures or delayed security updates. Test patches in a non-production environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).