DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-62GX-5Q78-WRVX: GHSA-62GX-5Q78-WRVX: Authenticated Path Traversal in obsidian-local-rest-api

GHSA-62GX-5Q78-WRVX: Authenticated Path Traversal in obsidian-local-rest-api

Vulnerability ID: GHSA-62GX-5Q78-WRVX
CVSS Score: 9.1
Published: 2026-07-15

The obsidian-local-rest-api plugin prior to version 4.1.3 is vulnerable to an authenticated path traversal flaw in its /vault/{path} endpoints. An authenticated attacker can bypass the vault root boundary using URL-encoded directory traversal sequences to perform unauthorized operations on the host filesystem.

TL;DR

Authenticated path traversal allows arbitrary host filesystem read, write, and deletion via URL-encoded characters due to improper path resolution logic.


Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network / Local
  • CVSS Score: 9.1 (Critical)
  • Impact: Arbitrary File Read, Write, Append, Deletion, and Remote Code Execution
  • Exploit Status: PoC Documented
  • KEV Status: Not Listed

Affected Systems

  • obsidian-local-rest-api NPM package
  • obsidian-local-rest-api Obsidian community plugin
  • obsidian-local-rest-api: < 4.1.3 (Fixed in: 4.1.3)

Mitigation Strategies

  • Upgrade the obsidian-local-rest-api plugin to version 4.1.3 or higher.
  • Ensure the API port is bound to the loopback interface (127.0.0.1) and not exposed to the local network or external interfaces unless absolutely necessary.
  • Implement strong access token management and restrict token access.

Remediation Steps:

  1. Open Obsidian and navigate to Settings > Community Plugins.
  2. Click 'Check for Updates' to fetch the latest plugin metadata.
  3. Select 'Local REST API' and click 'Update' to install version 4.1.3.
  4. Verify the update by checking that the local plugin version is 4.1.3 or newer.

References


Read the full report for GHSA-62GX-5Q78-WRVX on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)