Xerte Online Toolkits unauth file ops (CVE-2026-34413)

Vendor-confirmed - CVE-2026-34413 is a high severity unauthenticated RCE in Xerte Online Toolkits versions 3.15 and earlier that grants attackers file upload, delete, and overwrite capabilities, plus code execution via PHP web shell. Mitigate by restricting access to /editor/elfinder/ pending an official patch.

Overview

Xerte Online Toolkits versions 3.15 and earlier ship a missing authentication vulnerability in the elFinder file manager connector. The endpoint at /editor/elfinder/php/connector.php fails to halt PHP execution after sending an HTTP redirect to unauthenticated callers. Because the code does not call exit() or die(), the full server-side request continues processing, granting any unauthenticated attacker the same file operations as an authenticated user.

Technical Details

The flaw (CVSS 8.6, HIGH) allows an attacker to send requests directly to the connector without any session or authentication token. The server redirects to a login page, but the absence of an exit statement means the underlying elFinder PHP code still executes. The attacker can then:

• Create, rename, duplicate, overwrite, and delete files and directories in project media folders.
• Upload arbitrary files, bypassing weak extension blocklists.
• Chain this with path traversal (CVE-2026-34412) to write or read files outside the intended media directory.

An attacker who successfully uploads a PHP web shell to a location reachable via the web server can achieve remote code execution (RCE) with the privileges of the web server process. Combined with arbitrary file read, this exposes configuration files, database credentials, and source code.

Affected Versions

Xerte Online Toolkits version 3.15 and all earlier releases. No fix version has been announced as of this writing.

Impact

A successful exploit gives the attacker full control over media file storage and, when chained with the path traversal bug, potentially the entire web root. This can lead to:

• Complete site defacement or data theft.
• Lateral movement into the hosting environment if the web server runs with elevated privileges.
• Compromise of any downstream systems that trust the Xerte instance (e.g., SSO identity providers).

Because no user interaction is required and the attack vector is network-accessible, every instance running an affected version should be considered vulnerable.

Remediation

Until a patched release is available, apply these mitigations:

1. Restrict network access to the /editor/elfinder/ path via web server rules (e.g., .htaccess or Nginx location block) to trusted IP ranges only.
2. Disable elFinder if not actively used by removing or renaming the editor directory.
3. Monitor access logs for unusual requests to /editor/elfinder/php/connector.php from unrecognized IPs.
4. Implement WAF rules to block file uploads to known elFinder endpoints unless authenticated.

Vendor communication channels should be monitored for an official security patch. In the interim, consider moving the Xerte instance behind a reverse proxy that enforces authentication at the perimeter.

Security Insight

This vulnerability illustrates a recurring antipattern in PHP applications: relying on a redirect for access control without halting execution. The same class of bug affected WordPress plugins and Moodle in the past. It suggests that Xerte’s development team may lack a systematic security review process for third-party components like elFinder. Organizations running open-source learning platforms should budget for regular code audits of bundled libraries, not just the core application. Data breach reports are available at breach reports and cybersecurity news at security news.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs