CVE-2026-36726: Unauthenticated Arbitrary File Deletion in Bookcars v8.3
Bookcars v8.3 contains a vulnerability that allows attackers to delete files from a server without authentication. The flaw exists in an API endpoint designed to remove temporary license files, but it doesn't properly validate file paths. An attacker can exploit this by injecting directory traversal sequences (like '../') into the request to delete files outside the intended temporary directory, potentially removing critical application or system files.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
An arbitrary file deletion vulnerability in the /api/delete-temp-license/{file} endpoint of bookcars v8.3 allows unauthenticated attackers to delete arbitrary files via supplying directory traversal sequences.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36726 is a path traversal vulnerability (CWE-22) in the /api/delete-temp-license/{file} endpoint of bookcars v8.3. The endpoint accepts a file parameter but fails to sanitize or validate it against directory traversal attacks. By submitting specially crafted requests with path traversal sequences, an unauthenticated attacker can manipulate the file path to delete arbitrary files accessible to the application process. The vulnerability carries a CVSS 3.1 score of 5.3 (Medium severity) with no authentication required and low attack complexity.
Business impact
Successful exploitation could lead to denial of service through deletion of critical application files, configuration files, or data. In multi-tenant or SaaS deployments of bookcars, this could affect availability for legitimate users. While the vulnerability does not directly compromise confidentiality or enable data exfiltration, the integrity impact via file deletion could disrupt business operations, corrupt application state, or necessitate emergency recovery procedures and downtime.
Affected systems
Bookcars version 8.3 is affected. Organizations running this version with the /api/delete-temp-license endpoint exposed (typically in web-facing deployments) are at risk. The vulnerability requires no authentication, making any internet-accessible instance vulnerable if not otherwise restricted by network controls.
Exploitability
Exploitation requires only network access and the ability to craft HTTP requests to the vulnerable endpoint—no authentication, special user privileges, or user interaction is needed. The attack complexity is low, making this a straightforward exploitation scenario for an attacker with basic HTTP request capabilities. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog, though this does not imply immunity from real-world attack.
Remediation
Upgrade bookcars to a patched version released after June 2026 that addresses path traversal validation in the /api/delete-temp-license endpoint. Verify the specific patched version against the official bookcars vendor advisory. Interim mitigations include network-level access controls (WAF rules blocking '../' sequences in that endpoint) and disabling or restricting access to the /api/delete-temp-license endpoint if not essential to operations.
Patch guidance
Check the official bookcars project repository and security advisories for the released patch version addressing CVE-2026-36726. Apply the patch at your earliest convenience given the Medium severity and unauthenticated attack vector. Verify patch deployment by confirming the version string and testing that path traversal payloads no longer result in file deletion. If your version cannot be immediately patched, prioritize restricting network access to affected endpoints.
Detection guidance
Monitor HTTP access logs for requests to /api/delete-temp-license/ containing suspicious path traversal patterns such as '../', '..\', URL-encoded variants (%2e%2e, %252e), or unicode representations. Implement Web Application Firewall (WAF) rules to block such sequences. Monitor file system events for unexpected deletions initiated by the web application process. Alert on any successful HTTP responses (200/204) to delete-temp-license requests, especially from untrusted sources.
Why prioritize this
Although Medium severity, this vulnerability warrants prompt attention because it requires no authentication and has low attack complexity. Attackers can disrupt service availability or corrupt application integrity without any barriers to entry. Prioritize it alongside other unauthenticated remote vulnerabilities in your exposure management workflow. The lack of KEV status does not reduce priority—it simply reflects current threat intelligence rather than imminent mass exploitation.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects an unauthenticated, network-accessible vulnerability (AV:N, PR:N) with low complexity (AC:L) that impacts file integrity but not confidentiality or availability in the strict scoring model. The Medium severity reflects the real-world risk: while not critical, an unauthenticated file deletion capability poses a material operational risk to deployed instances.
Frequently asked questions
Can this vulnerability lead to remote code execution?
No. The vulnerability enables arbitrary file deletion only. However, deletion of critical application files could indirectly lead to denial of service or unpredictable application behavior. It does not directly provide code execution capabilities.
Do I need to authenticate to exploit this vulnerability?
No. The vulnerability is completely unauthenticated—any attacker with network access to the /api/delete-temp-license endpoint can attempt exploitation without valid credentials or session tokens.
What should I do if I cannot patch immediately?
Implement network segmentation or WAF rules to block access to the /api/delete-temp-license endpoint from untrusted sources. Monitor file system and access logs for suspicious activity. Prioritize patching within your normal change management cycle, treating it as high-priority given the lack of authentication barriers.
Is there a workaround that doesn't require patching?
The most effective non-patch mitigation is disabling or restricting network access to the endpoint. If the endpoint is non-essential, disable it entirely. Otherwise, use WAF rules, API gateway policies, or firewall rules to block requests containing path traversal sequences before they reach the application.
This analysis is provided for informational purposes to assist security teams in vulnerability management and risk prioritization. The information reflects the vulnerability description and CVSS scoring published as of the provided data. Verification of affected versions, patch availability, and applicability to your specific environment is your responsibility. Always consult official vendor advisories and release notes before applying patches. No guarantee is provided regarding the completeness or accuracy of detection signatures or remediation strategies described herein. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2019-25734MEDIUMContact Form by WD CSRF & Local File Inclusion Vulnerability
- CVE-2019-25740MEDIUMJoomla com_jsjobs Arbitrary File Deletion Vulnerability
- CVE-2022-50953MEDIUMWordPress admin-word-count-column Plugin Local File Read Vulnerability
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller