CVE-2026-49009

LOW

Northern.tech Mender Server <= 4.1.0 - Directory Traversal

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-49009. PoCs published by INTELEON404, j0xh-sec.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-49009, an authenticated path traversal vulnerability in Mender Server that leads to remote code execution. The exploit includes a Python script and a Nuclei template that demonstrate the vulnerability by overwriting a trusted binary in the worker container.

Description

Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal.

Exploits (2)

github WORKING POC

by INTELEON404 · poc

https://github.com/INTELEON404/CVE-2026-49009

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-49009, an authenticated path traversal vulnerability in Mender Server that leads to remote code execution. The exploit includes a Python script and a Nuclei template that demonstrate the vulnerability by overwriting a trusted binary in the worker container.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Mender Server versions 4.1.0, 4.0.1, and below

Auth required

Prerequisites: Valid user credentials for Mender Server · Access to the management API

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 02, 2026 Full analysis →

nomisec WORKING POC

by j0xh-sec · poc

https://github.com/j0xh-sec/CVE-2026-49009

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-49009, demonstrating an authenticated path traversal vulnerability in Mender Server that leads to remote code execution (RCE). The exploit authenticates to the management API, submits a malicious single-file artifact generation request with a traversal filename to overwrite /usr/bin/mender-artifact, and uploads a shell payload that executes arbitrary commands when the workflow invokes the binary.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Mender Server v4.1.0, v4.0.1 and below

Auth required

Prerequisites: Valid Mender account credentials · Access to the single-file artifact generation workflow

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 29, 2026 Full analysis →

References (2)

Core 2

Core References

https://northern.tech

https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server

Scores

CVSS v3 3.1

EPSS 0.0005

EPSS Percentile 16.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Published May 27, 2026

Tracked Since May 28, 2026