CVE-2026-36723: Directory Traversal in Bookcars v8.3 File Rename API
Bookcars v8.3 contains a file handling flaw in its user creation API that allows authenticated users to move files around the server using path traversal tricks. An attacker with valid credentials can exploit this to place files in sensitive locations, overwrite important application code, or execute arbitrary code on the server. This is particularly dangerous because it requires only basic authentication—no special privileges or user interaction needed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36723 is a directory traversal vulnerability (CWE-22) affecting the /api/create-user endpoint in bookcars v8.3. The vulnerability stems from insufficient input validation on file rename operations. Authenticated attackers can inject path traversal sequences (e.g., '../../../') into rename requests, allowing them to move files from temporary directories to arbitrary filesystem locations. The lack of proper path canonicalization or allowlist enforcement enables both confidentiality breaches (reading sensitive files) and integrity/availability violations (overwriting binaries, configuration files, or achieving code execution). The CVSS 3.1 score of 8.8 reflects high impact across all three security dimensions (confidentiality, integrity, availability) with low attack complexity and no user interaction requirement.
Business impact
Successful exploitation could result in complete compromise of the bookcars application and underlying server. An attacker could exfiltrate customer data, payment information, or other sensitive records stored by the application. By overwriting application files or injecting malicious code into executable locations, attackers could achieve persistent remote code execution, enabling them to establish backdoors, pivot to internal systems, or deploy ransomware. For organizations operating bookcars for car rental services, this translates to operational disruption, regulatory compliance violations (especially if customer data is exposed), reputational damage, and potential financial liability.
Affected systems
Bookcars v8.3 is confirmed affected. Organizations running this version in production environments with network exposure are at risk if they have user accounts (legitimate or compromised) that can authenticate to the application. No patches or vendor guidance has been issued yet, so all deployments of v8.3 should be treated as vulnerable until patching becomes available.
Exploitability
The vulnerability requires valid authentication credentials, which limits opportunistic exploitation to users with legitimate or compromised accounts. However, account compromise via credential stuffing, phishing, or default credentials is common, making the authentication barrier relatively low in practice. The attack is straightforward to execute—no advanced techniques, special tools, or race conditions required. Given that the vulnerability is in a common user-creation workflow, attackers who obtain valid credentials have a direct, reliable path to exploitation. The flaw is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the latest update, but this does not indicate the vulnerability is difficult to exploit; it simply reflects current threat intelligence status.
Remediation
The primary remediation is to upgrade bookcars to a patched version as soon as vendor guidance is released. Until a patch is available, organizations should: (1) restrict network access to the bookcars application to trusted IP ranges or VPN-only; (2) enforce strong authentication controls and monitor for unauthorized account creation or suspicious login patterns; (3) disable or protect the /api/create-user endpoint if it is not actively needed; (4) review filesystem permissions to limit the damage a compromised application process can inflict. These controls reduce exploitability but do not eliminate the underlying flaw.
Patch guidance
Verify the bookcars vendor advisory for patched versions addressing CVE-2026-36723. Patches should include input validation on file rename operations, use of a secure temporary directory with restricted permissions, and prevention of path traversal characters in rename requests. Test patches in a non-production environment before deploying to production systems. Given the severity and ease of exploitation, patching should be prioritized in your vulnerability management workflow.
Detection guidance
Monitor application logs for suspicious patterns in the /api/create-user endpoint, particularly requests containing path traversal sequences ('../', '..\\', or URL-encoded variants like %2e%2e%2f). Audit filesystem access logs for unexpected file creation or modification in sensitive directories outside the intended application directory (e.g., /etc, /var/www, system binary locations). Check temporary directories for files that may have been staged for exploitation. Implement file integrity monitoring on critical application files to detect unauthorized modifications. Monitor process execution from the bookcars application for signs of shell spawning or execution of suspicious binaries, which may indicate code execution via this vulnerability.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.8), low attack complexity, and direct path to remote code execution. The authentication requirement, while adding a layer of friction, is not a sufficient protective control given the prevalence of account compromise. Organizations with exposed bookcars v8.3 instances should treat this as a critical priority until patches are available and deployed.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH severity) reflects: (1) Network-accessible attack vector (AV:N); (2) Low attack complexity (AC:L)—no special conditions or user interaction required; (3) Authentication requirement (PR:L), which prevents unauthenticated exploitation but does not significantly reduce risk given common account compromise scenarios; (4) Impact across all three security objectives—high confidentiality impact (reading arbitrary files), high integrity impact (modifying or overwriting files), and high availability impact (deleting critical files or achieving code execution). The absence of scope change (S:U) indicates the impact is limited to the vulnerable component's security domain, not broader system scope, but the combination of factors still warrants a HIGH rating.
Frequently asked questions
Can this vulnerability be exploited by unauthenticated users?
No. The vulnerability requires valid authentication credentials to access the /api/create-user endpoint. However, account compromise via credential theft, weak passwords, or default credentials is common, so the practical attack surface is wider than it first appears. Organizations should assume that any compromised user account can be leveraged for exploitation.
What is the difference between this file rename issue and a standard directory traversal?
This is a directory traversal vulnerability that manifests through file operations (specifically rename). The attacker cannot directly access arbitrary files via a path traversal in a read operation; instead, they abuse the rename functionality to move files to sensitive locations, which is more dangerous because it enables modification and code execution, not just information disclosure.
If we restrict network access to bookcars, are we safe?
Restricting network access reduces your attack surface significantly, but does not eliminate the vulnerability. Insider threats, compromised internal accounts, or lateral movement from another compromised system could still allow exploitation. Network segmentation is a good defense-in-depth measure but should be combined with patching and strong authentication controls.
Why is this not listed in CISA's Known Exploited Vulnerabilities catalog?
CISA's KEV catalog reflects vulnerabilities for which there is evidence of active exploitation in the wild. This vulnerability may not yet have been actively exploited at scale, or exploitation may not have been publicly reported or detected by CISA. The absence from the KEV catalog does not indicate low severity or difficulty—it is a timing and visibility matter, not a risk assessment.
This analysis is provided for informational purposes to assist cybersecurity professionals in risk assessment and vulnerability management. SEC.co does not provide legal, compliance, or operational guarantees. Organizations should verify all patch versions and vendor guidance directly against official bookcars security advisories before implementing remediation. Testing should be conducted in non-production environments. The absence of a vulnerability from CISA's KEV catalog does not indicate low risk or active exploitation status at any given time. Security decisions should be informed by your organization's specific threat model, asset criticality, and environment configuration. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers
- CVE-2026-11419HIGHAltium Enterprise Server Path Traversal – Arbitrary File Write
- CVE-2026-22926HIGHOmnissa Workspace ONE Assist macOS Local Privilege Escalation