CVE-2026-6105: Improper Authorization in perfree go-fastdfs-web
Executive Summary
Section titled “Executive Summary”A security vulnerability (CVE-2026-6105, CVSS 6.9) has been identified in perfree go-fastdfs-web (versions up to and including 1.3.7). The vulnerability resides in the doInstall interface within the InstallController.java component, leading to improper authorization and incorrect privilege assignment (CWE-285/CWE-266). Unauthenticated attackers can remotely exploit this interface to gain unauthorized access.
Technical Analysis
Section titled “Technical Analysis”The flaw exists within the installation controller responsible for the doInstall interface. Due to inadequate authorization checks, remote users can manipulate this interface to bypass access controls. This vulnerability allows for unauthorized access to sensitive installation functions, potentially compromising the integrity of the application environment.
Exploitation
Section titled “Exploitation”Exploitation can be initiated remotely. Publicly disclosed exploit information indicates that the doInstall endpoint does not enforce proper authentication or privilege checks, allowing unauthenticated attackers to interact with the application installation process.
Detection
Section titled “Detection”Threat Hunting Query (Splunk/ELK)
Section titled “Threat Hunting Query (Splunk/ELK)”index=web_logs uri_path="*/doInstall*" OR uri_path="*InstallController*"| stats count by src_ip, user_agent, urlMitigation
Section titled “Mitigation”- Update/Patch: Ensure go-fastdfs-web is updated to a version beyond 1.3.7.
- Access Control: Restrict external access to installation and administration endpoints.
- Validation: Implement robust authorization checks within the
doInstallinterface.