VAPTCoordinated vulnerability disclosure platformResearcher recognition, vendor coordination, and CVE support
LoginRequest CVE
MEDIUM Vulnerability

CVE-2026-44003

Pre-authenticated directory traversal in Aurora VPN diagnostic export

Aurora VPN exposed a pre-authenticated file disclosure issue in its diagnostic export handler, allowing remote retrieval of arbitrary files from the appliance filesystem.

CVECVE-2026-44003
TitlePre-authenticated directory traversal in Aurora VPN diagnostic export
Case NumberVAPT-2026-04403
Status
Published
Credits
Affected products
ProductAffectedUnaffectedUnknown
Aurora Secure Aurora VPN GatewayAurora VPN Gateway 3.5.0 through 3.5.3Unknown
CVSS
Base score6.9 - MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactNONE
Availability ImpactNONE
References
Problem type(s)
CWE / Problem TypeMITRE TacticsMITRE Techniques
  • Discovery (TA0007)
  • Collection (TA0009)
  • File and Directory Discovery (T1083)
  • Data from Local System (T1005)
Date publishedApr 9, 2026
Last modifiedApr 10, 2026, 13:43 UTC

Description

The handler normalized archive names after the destination path was joined, which allowed `../` segments to survive the security check. A crafted request reached privileged export logic early in the request lifecycle and streamed arbitrary files back to the client.

Known Detection Rules

Upgrade to Aurora VPN Gateway 3.5.4 or later, restrict the diagnostic export route at the edge, and rotate any credentials or key material stored on the affected appliance. Review access logs for unusual export requests containing encoded traversal sequences.

No authenticated YARA, Sigma, or KQL detection content is attached to this CVE.

References

VAPT writeup

Public VAPT advisory linked to this CVE.

VAPT advisory
Vendor advisory

Public vendor advisory or acknowledgment linked to this CVE.

Vendor advisory
JSON Version