Bug 2460200

Summary: CVE-2026-5789 civetweb: CivetWeb: Arbitrary code execution and privilege escalation via unquoted search path [epel-all]
Product: [Fedora] Fedora EPEL Reporter: Keith Grant <kgrant>
Component: civetwebAssignee: Kaleb KEITHLEY <kkeithle>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: epel10CC: kkeithle
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["d64d3f96-e6f9-41ee-ba19-4df8effd71ec"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-04-27 18:30:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2460124    

Description Keith Grant 2026-04-21 18:09:43 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Kaleb KEITHLEY 2026-04-27 18:30:13 UTC
See https://github.com/civetweb/civetweb/issues/1382

Since CivetWeb is utilized as an embedded component within your application, the underlying code does not inherently expose your software to this flaw. Your application would only be susceptible to this type of attack if the following conditions are met simultaneously during deployment:

    1. Your application is registered as a Windows service.
    2. The path where your application is installed contains spaces in the folder names (as typically occurs in C:\Archivos de programa\ or C:\Program Files).
    3. The installation process or the script that registers your application’s service does not enclose the full executable path in quotation marks.

Based on the above, closing as NOTABUG