A critical path traversal flaw in DumbAssets through version 1.0.11 lets unauthenticated attackers delete arbitrary files on the server, including core application files, leading to complete denial of service.
What Is It
CVE-2026-45230 is a path traversal vulnerability (CWE-22) in the DumbAssets asset-tracking application. The flaw lives in the POST /api/delete-file endpoint and its filesToDelete array parameter. By supplying ../ sequences, an attacker can bypass directory boundary validation and reach files outside the intended application directory. Because DumbAssets ships with its authentication control optional and disabled by default, exploitation requires no credentials in typical deployments.
The vulnerability carries a CVSS 3.1 base score of 9.1 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, network-reachable, low complexity, no privileges, no user interaction, with high impact to integrity and availability.
Why It Matters
The attack is trivially scriptable against any internet-exposed DumbAssets instance. Deleting files like server.js or package.json knocks the application offline entirely, and an attacker can chain repeated requests to wipe arbitrary paths the service user has write access to. No KEV entry confirms active exploitation at this time, but the unauthenticated nature and the public PR/advisory make weaponization straightforward.
What's Vulnerable
- Product: DumbAssets (DumbWareio)
- Affected versions: through 1.0.11
- Vulnerable component:
POST /api/delete-fileendpoint,filesToDeletearray parameter - Precondition: Built-in authentication is optional and off by default, so most real-world deployments are exposed without credentials.
Patch Status
A fix has been proposed upstream via DumbWareio/DumbAssets PR #136. Administrators running DumbAssets ≤ 1.0.11 should:
- Upgrade to a release that incorporates PR #136 once published.
- As an interim mitigation, enable the application's authentication control and restrict network exposure of the
/api/delete-fileendpoint (e.g., via reverse proxy ACLs or firewall rules). - Audit existing instances for unexpected file deletions or service crashes.
No CISA KEV listing has been issued for this CVE.