MEDIUM 4.8

CVE-2026-52756: Ghidra IsfServer Path Traversal Vulnerability

Ghidra, the NSA's reverse-engineering framework, contains a path traversal flaw in its IsfServer network component. An unauthenticated attacker can connect to the default listening port and craft specially formatted messages to probe and enumerate files on the system running Ghidra. The vulnerability allows limited information disclosure and potential denial of service, but does not enable code execution or file modification.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Weaknesses (CWE)
CWE-22
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-14

NVD description (verbatim)

Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send crafted protobuf messages with traversal sequences to enumerate filesystem paths and probe arbitrary files.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-52756 is an unauthenticated path traversal vulnerability (CWE-22) in Ghidra versions prior to 12.2. The IsfServer component, which listens on TCP port 54321 by default, accepts client connections and passes user-supplied namespace strings directly to filesystem operations without proper canonicalization or validation. Attackers can send crafted protobuf-formatted messages containing directory traversal sequences (e.g., '../' or absolute paths) to enumerate directory contents and probe arbitrary files on the host system. The vulnerability requires network access to the listening port but no authentication, credentials, or user interaction.

Business impact

For organizations using Ghidra in security research, malware analysis, or software evaluation workflows, this vulnerability introduces information leakage risk. An attacker with network access to a Ghidra instance could systematically enumerate sensitive file paths, discover project names, or probe for the presence of classified or proprietary reverse-engineering artifacts. In shared lab or cloud-hosted environments, this enables lateral reconnaissance. The impact is primarily confidentiality-focused; actual data exfiltration depends on file read capabilities tied to the Ghidra process user account.

Affected systems

Ghidra versions before 12.2 are affected. The NSA Ghidra project is commonly deployed in cybersecurity research labs, threat intelligence teams, incident response workflows, and by security researchers in both government and commercial sectors. Any installation with IsfServer enabled and network-exposed (whether intentionally or via misconfiguration) presents attack surface.

Exploitability

Exploitation requires network access to port 54321 on the Ghidra host. No authentication is required, and the attacker only needs to craft valid protobuf messages—a low-to-moderate technical barrier. The CVSS score of 4.8 reflects that exploitation is feasible but limited in impact (low confidentiality loss, low availability impact). The vector 'AC:H' (Attack Complexity: High) suggests that reliable exploitation may require knowledge of the target's filesystem layout or iterative probing, though reconnaissance is not prevented.

Remediation

Upgrade Ghidra to version 12.2 or later. Until patching is possible, restrict network access to port 54321 using firewall rules, network segmentation, or host-based ACLs. Disable IsfServer if it is not required for your operational workflow. Audit network logs to identify any unauthorized connection attempts to port 54321.

Patch guidance

Apply Ghidra 12.2 or newer as soon as feasible. Verify the patch through the official NSA Ghidra repository (GitHub: NationalSecurityAgency/ghidra). Test the patched version in a non-production environment to confirm it resolves the vulnerability without disrupting reverse-engineering workflows or project compatibility. Organizations on older major versions should evaluate the upgrade path and plan for any tool customizations or plugin compatibility checks before deployment.

Detection guidance

Monitor for unexpected inbound connections to TCP port 54321 on systems running Ghidra. Inspect logs for connection attempts originating from untrusted or unexpected sources. If IsfServer logging is enabled, look for unusual namespace queries or path traversal patterns (repeated '../' sequences or absolute path probes). Network-based detection can flag protobuf messages with traversal indicators sent to port 54321. Conduct a baseline inventory of IsfServer deployments in your environment and verify whether each instance requires external network exposure.

Why prioritize this

Although the CVSS score is medium (4.8), this vulnerability merits prompt attention in security research and analyst communities. The combination of unauthenticated access, no exploitation complexity, and systematic filesystem reconnaissance capability creates a meaningful risk in labs where sensitive malware samples, classified analysis, or proprietary tools are stored. Organizations with Ghidra exposed to untrusted networks should prioritize patching or network isolation. Lower urgency is acceptable for isolated, air-gapped, or strictly internal Ghidra deployments.

Risk score, explained

The CVSS 3.1 score of 4.8 (MEDIUM) reflects limited but real impact: low confidentiality loss (file enumeration and probing) and low availability risk (potential service disruption via resource exhaustion). The requirement for network connectivity (AV:N) and lack of authentication (PR:N) elevate the base threat. However, the high attack complexity (AC:H) and absence of integrity or confidentiality impact on the target system itself (S:U) cap the severity. For security-focused organizations handling sensitive analysis workloads, the true risk may justify faster remediation than the numeric score alone suggests.

Frequently asked questions

Can an attacker read or download files through this vulnerability?

The vulnerability enables filesystem path enumeration and probing, confirming the existence and structure of files. Whether an attacker can read file contents depends on the filesystem permissions of the Ghidra process user account. In many cases, the vulnerability allows reconnaissance and information disclosure rather than full file exfiltration.

Is IsfServer enabled by default in Ghidra installations?

IsfServer is a network-based collaboration component in Ghidra. Verify your installation's configuration to determine if it is active. Organizations that do not use Ghidra's multi-user or collaborative features should consider disabling IsfServer entirely as a defense-in-depth measure.

Does this vulnerability allow remote code execution?

No. CVE-2026-52756 is a path traversal and information disclosure vulnerability. It does not enable code execution, privilege escalation, or modification of files. The impact is limited to unauthorized file access and enumeration.

What should I do if my Ghidra instance is exposed to the internet?

Immediately restrict inbound traffic to port 54321 using a firewall rule, VPN, or network ACL. Do not rely solely on network obscurity. Apply the Ghidra 12.2 patch as soon as your maintenance window allows, and then re-evaluate whether external exposure is necessary for your use case.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Vulnerability details and patch availability are subject to change; always consult the NSA Ghidra official repository and your vendor advisories for the most current information. Security decisions should be made in the context of your own environment, risk posture, and operational requirements. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for actions taken in reliance on this information. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).