CVE-2026-37531:

CVE-2026-37531 is a critical vulnerability in AGL app-framework-main through version 17.1.12 that combines a Zip Slip path traversal flaw (CWE-22) with a TOCTOU race condition (CWE-367) in the widget installation process, allowing unauthenticated remote attackers to write arbitrary files anywhere on the filesystem.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:May 1, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.1
EPSS Percentile:29%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

CVE-2026-37531 affects AGL app-framework-main through version 17.1.12 and represents a critical-severity, remotely exploitable vulnerability chain found in the widget installation subsystem. The flaw arises from two compounding weaknesses: an incomplete filename validation routine that fails to block dot-notation path traversal sequences, and a procedural ordering error where archive extraction occurs before cryptographic signature verification. As a result, an attacker can craft a malicious ZIP-based widget package containing traversal sequences in entry names, causing the extraction logic to write files to arbitrary locations on the target filesystem. Critically, even if the subsequently executed signature verification step rejects the package, the cleanup process only removes temporary working files and leaves all traversal-planted files intact. This effectively means signature verification provides no protective barrier against arbitrary file write attacks. The vulnerability requires no authentication, no user interaction, and is exploitable over the network, making it particularly dangerous in any deployment where the widget installation interface is accessible remotely. The combination of CWE-22 (Path Traversal) and CWE-367 (TOCTOU Race Condition) means that standard mitigations addressing either weakness in isolation would be insufficient to fully remediate the risk.

Remediation

To remediate CVE-2026-37531, the AGL app-framework-main codebase requires multiple coordinated code-level fixes. The `is_valid_filename` function in `wgtpkg-zip.c` must be updated to detect and reject not only absolute paths but also all forms of directory traversal sequences including dot-notation patterns such as `../` and their encoded equivalents. The most critical fix is reordering the widget installation workflow in `wgtpkg-install.c` so that signature verification via `check_all_signatures` is performed before any file extraction takes place, ensuring that malicious or unsigned packages are rejected prior to any filesystem writes. Additionally, the extraction cleanup routine should be enhanced to track and remove all files written during an aborted installation, including those potentially written outside the designated working directory. Organizations using affected versions should upgrade to a patched release once available, monitor the official AGL Gerrit repository for patches, restrict network access to widget installation interfaces as an immediate mitigation, and avoid exposing the installation service to untrusted networks until a fix is applied.