Executive Summary
A critical unauthenticated remote code execution vulnerability (CVE-2026-6057) has been disclosed in FalkorDB Browser 1.9.3, the web-based management interface for the FalkorDB graph database. The vulnerability resides in the file upload API endpoint, which fails to validate or sanitize the user-supplied file path. An unauthenticated remote attacker can exploit this path traversal flaw to write arbitrary files to any location on the server filesystem, which can be chained into full remote code execution.
CVSS Score: 9.8 (Critical)
No authentication is required to exploit this vulnerability. Any attacker with network access to the FalkorDB Browser HTTP interface can trigger the file write primitive and escalate to code execution. Organizations running FalkorDB Browser in internet-accessible or shared-network environments should treat this as an emergency remediation priority.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6057 |
| CVSS Score | 9.8 (Critical) |
| Type | Path Traversal → Arbitrary File Write → Remote Code Execution |
| Attack Vector | Network |
| Authentication Required | None |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Check FalkorDB releases |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| FalkorDB Browser | 1.9.3 and earlier | Upgrade to patched release; restrict network access |
Technical Analysis
Root Cause
The FalkorDB Browser file upload API endpoint accepts a user-supplied file path parameter without performing adequate sanitization or path normalization. The application fails to:
- Validate that the target write path remains within an allowed directory
- Strip path traversal sequences (
../,..\\, encoded variants such as%2e%2e%2f) - Enforce any authentication check before processing file upload requests
This creates a direct path traversal write primitive that is exploitable without any credentials.
Attack Flow
1. Attacker identifies a FalkorDB Browser instance on the network (default port 3000)
2. Attacker sends a crafted multipart POST request to the file upload API
3. The target path parameter contains path traversal sequences (e.g. ../../../../etc/cron.d/evil)
4. FalkorDB Browser writes attacker-controlled content to the resolved path
5. Attacker writes a web shell, cron job, or authorized_keys entry for persistence
6. Attacker triggers the written payload to achieve code execution under the server processExploitation Techniques
Depending on the server OS and configuration, common paths to code execution from arbitrary file write include:
- Cron job injection — write to
/etc/cron.d/or/var/spool/cron/to execute commands on a schedule - SSH authorized_keys — write to
~/.ssh/authorized_keysfor the user running FalkorDB to gain shell access - Web shell deployment — write an executable script to any web-accessible directory
- Service configuration tampering — overwrite startup scripts or systemd unit files to inject commands executed at service restart
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full code execution on the host without any credentials |
| Data Exfiltration | All FalkorDB graph data, credentials, and configuration accessible |
| Server Compromise | Complete control of the underlying host depending on service account privileges |
| Lateral Movement | Pivot to adjacent systems using credentials or tokens accessible from the compromised host |
| Persistence | Attacker can install backdoors or modify startup scripts |
| Data Destruction | Graph database data can be wiped or ransomed |
Immediate Remediation
Step 1: Identify Exposed Instances
# Check if FalkorDB Browser is listening on a network-accessible interface
ss -tlnp | grep 3000
netstat -tlnp | grep 3000
# Confirm the process
ps aux | grep falkorStep 2: Apply Emergency Network Restriction
If patching is not immediately possible, restrict access to FalkorDB Browser using firewall rules:
# Block all external access to FalkorDB Browser (adjust interface/port as needed)
iptables -I INPUT -p tcp --dport 3000 -j DROP
# Allow only trusted admin IPs
iptables -I INPUT -p tcp --dport 3000 -s <ADMIN_IP>/32 -j ACCEPTFor Docker-deployed instances:
# Bind FalkorDB Browser to loopback only — edit docker-compose.yml
# Change: ports: - "3000:3000"
# To: ports: - "127.0.0.1:3000:3000"
docker compose up -d falkordb-browserStep 3: Upgrade to Patched Version
Monitor the FalkorDB GitHub releases and upgrade to the patched release as soon as it is available.
# Check current installed version
falkordb-browser --version
# Pull latest patched Docker image
docker pull falkordb/falkordb-browser:latest
docker compose pull && docker compose up -dStep 4: Audit for Compromise Indicators
# Look for recently modified files in sensitive system directories
find /etc/cron.d /etc/cron.daily /var/spool/cron -newer /tmp/baseline -type f 2>/dev/null
# Check for unauthorized SSH keys
cat /root/.ssh/authorized_keys
find /home -name authorized_keys -exec cat {} \;
# Review web-accessible directories for unexpected scripts
find /var/www /opt/falkordb -name "*.php" -o -name "*.sh" -newer /tmp/baseline 2>/dev/nullDetection Indicators
| Indicator | Description |
|---|---|
| Multipart POST requests with path traversal sequences in filename | ../ or %2e%2e in upload API parameters |
| Unexpected files created outside the FalkorDB data directory | Arbitrary write exploitation |
| New cron entries appearing after FalkorDB Browser access | Cron persistence via file write |
| Unfamiliar SSH authorized_keys entries | SSH persistence via file write |
| Outbound connections from the FalkorDB process | Reverse shell following RCE |
| FalkorDB process spawning shell commands | Command execution under service account |
Post-Remediation Checklist
- Patch all FalkorDB Browser instances immediately upon release availability
- Restrict network access — FalkorDB Browser should never be internet-exposed; use a VPN or bastion host
- Audit filesystem for attacker-planted files, cron jobs, and unauthorized SSH keys
- Rotate credentials stored within or accessible from the FalkorDB host
- Review process logs for anomalous subprocess execution by the FalkorDB service user
- Enable file integrity monitoring on sensitive directories using tools like AIDE or auditd
- Run FalkorDB as a low-privilege user with no write access outside its data directory
- Notify security operations if exploitation indicators are found — treat as a full incident