GHSA-62GX-5Q78-WRVX: Authenticated Path Traversal in obsidian-local-rest-api
Vulnerability ID: GHSA-62GX-5Q78-WRVX
CVSS Score: 9.1
Published: 2026-07-15
The obsidian-local-rest-api plugin prior to version 4.1.3 is vulnerable to an authenticated path traversal flaw in its /vault/{path} endpoints. An authenticated attacker can bypass the vault root boundary using URL-encoded directory traversal sequences to perform unauthorized operations on the host filesystem.
TL;DR
Authenticated path traversal allows arbitrary host filesystem read, write, and deletion via URL-encoded characters due to improper path resolution logic.
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network / Local
- CVSS Score: 9.1 (Critical)
- Impact: Arbitrary File Read, Write, Append, Deletion, and Remote Code Execution
- Exploit Status: PoC Documented
- KEV Status: Not Listed
Affected Systems
- obsidian-local-rest-api NPM package
- obsidian-local-rest-api Obsidian community plugin
-
obsidian-local-rest-api: < 4.1.3 (Fixed in:
4.1.3)
Mitigation Strategies
- Upgrade the obsidian-local-rest-api plugin to version 4.1.3 or higher.
- Ensure the API port is bound to the loopback interface (127.0.0.1) and not exposed to the local network or external interfaces unless absolutely necessary.
- Implement strong access token management and restrict token access.
Remediation Steps:
- Open Obsidian and navigate to Settings > Community Plugins.
- Click 'Check for Updates' to fetch the latest plugin metadata.
- Select 'Local REST API' and click 'Update' to install version 4.1.3.
- Verify the update by checking that the local plugin version is 4.1.3 or newer.
References
- GitHub Security Advisory GHSA-62GX-5Q78-WRVX
- GitHub Repository for obsidian-local-rest-api
- Release v4.1.3 of obsidian-local-rest-api
- Code Diff between v4.1.2 and v4.1.3
Read the full report for GHSA-62GX-5Q78-WRVX on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)