What this actually is.
Technical background, root cause, and affected surface.
FalkorDB Browser version 1.9.3 contains a critical security vulnerability in its file upload API endpoint (app/api/upload/route.ts). The endpoint fails to enforce any authentication, allowing unauthenticated remote attackers to reach the file write logic.
Furthermore, the uploaded filename is passed unsanitized to Node.js's path.join(), which resolves traversal sequences like ../. This allows an attacker to write arbitrary files to the server's filesystem, including the Next.js source tree. In development environments using Turbopack, this leads to immediate Remote Code Execution (RCE) via hot-reloading when an attacker overwrites an existing API route with a webshell.
- Vendor
- FalkorDB
- Affected Product
- FalkorDB Browser v1.9.3
- CVE
- CVE-2026-6057
- Securin ID
- -
- Status
- Fixed (v1.9.4)
- Date
- April 7, 2026
- Severity
- Critical
- CVSS Score
- 9.8
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-22, CWE-306
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
The following snippet from app/api/upload/route.ts demonstrates the missing authentication and unsafe path construction:
export async function POST(request: NextRequest) {
// Missing getClient(request) call found in other routes
const formData = await request.formData();
const file = formData.get("file") as File;
// Unsafe: resolves traversal sequences from file.name
const filename = file.name.replaceAll(" ", "_");
const filePath = path.join(process.cwd(), `public/assets/${filename}`);
await pump(file.stream(), fs.createWriteStream(filePath));
return NextResponse.json({ path: filePath, status: 200 });
}
When does this fire?
All conditions must be true for the exploit to succeed.
FalkorDB Browser version ≤ 1.9.3.
Application is accessible over the network.
For immediate RCE, the server must be running in development mode (npm run dev) with Turbopack.
Initial Access
Exploit Public-Facing Application
Execution
Command and Scripting Interpreter
Persistence
Server Software Component: Web Shell
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Successful exploitation of this vulnerability results in:
Remote Code Execution (RCE): Attackers can execute arbitrary OS commands as the Node.js process user.
Full Host Escape: Due to docker group membership, an attacker can achieve root access on the underlying host.
Data Exfiltration: Sensitive environment secrets like NEXTAUTH_SECRET and ENCRYPTION_KEY can be stolen.
Credential Theft: All stored PAT passwords in the database can be decrypted.
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Enforce Authentication: Add the getClient(request) call at the beginning of the POST handler to block unauthenticated access.
Secure File Handling: Generate server-side UUIDs for filenames instead of using file.name, and use path.resolve() with prefix validation to prevent traversal.
Two primary fixes are required to fully secure the application:
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
Vulnerability reported to the vendor
Vendor fixed the issue
Vendor released the fix
Advisory is published
Disclosed 2 days after discovery
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.