CVE-2026-45230: Critical Path Traversal in DumbAssets Allows Arbitrary File Deletion

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitypath-traversalcwe-22
CVE-2026-45230: Critical Path Traversal in DumbAssets Allows Arbitrary File Deletion

The National Vulnerability Database has issued a critical advisory for CVE-2026-45230, a path traversal vulnerability in DumbAssets through version 1.0.11. This flaw exists within the POST /api/delete-file endpoint and its filesToDelete array parameters. Unauthenticated attackers can exploit this by injecting ../ sequences, bypassing directory boundary validation and allowing the deletion of arbitrary files.

The impact is severe: attackers can traverse outside the intended application directory to delete critical server files like server.js or package.json. This leads to a complete denial of service. While authentication is an optional, disabled-by-default control, its default state leaves installations wide open to this destructive attack. The CVSSv3 score of 9.1 (CRITICAL) underscores the ease of exploitation and the devastating consequences.

This isn’t just a theoretical vulnerability; it’s a direct path to application shutdown. Organizations using DumbAssets must understand that the default configuration is highly insecure. Attackers are constantly looking for low-hanging fruit with high impact, and an unauthenticated arbitrary file deletion fits that profile perfectly. The calculus for an attacker here is simple: find an exposed instance, send a crafted request, and take the system offline. Defenders need to act decisively.

What This Means For You

  • If your organization uses DumbAssets, you are exposed to unauthenticated denial-of-service. Immediately verify your version and apply patches to mitigate CVE-2026-45230. Crucially, audit your authentication settings to ensure they are enabled and properly configured, even if a patch is not yet available.

Related ATT&CK Techniques

T1561 Disk Wipe Impact T1070.004 File Deletion Impact T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-45230: DumbAssets Arbitrary File Deletion via Path Traversal

Sigma YAML — free preview 
title: CVE-2026-45230: DumbAssets Arbitrary File Deletion via Path Traversal
id: scw-2026-05-18-ai-1
status: experimental
level: critical
description: |
  Detects the specific POST request to /api/delete-file with '../' sequences in the URI query, indicating an attempt to exploit the path traversal vulnerability in DumbAssets (CVE-2026-45230) for arbitrary file deletion.
author: SCW Feed Engine (AI-generated)
date: 2026-05-18
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45230/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri:
          - '/api/delete-file'
      cs-uri-query|contains:
          - '../'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45230 Path Traversal DumbAssets through 1.0.11
CVE-2026-45230 Path Traversal POST /api/delete-file endpoint
CVE-2026-45230 Path Traversal filesToDelete array parameters
CVE-2026-45230 DoS Deletion of critical files (e.g., server.js, package.json)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 18, 2026 at 21:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma