{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25628", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.789Z", "datePublished": "2026-02-06T20:44:13.487Z", "dateUpdated": "2026-02-06T21:11:27.721Z"}, "containers": {"cna": {"title": "Qdrant affected by arbitrary file write via `/logger` endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f"}, {"name": "https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1", "tags": ["x_refsource_MISC"], "url": "https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1"}, {"name": "https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195", "tags": ["x_refsource_MISC"], "url": "https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195"}], "affected": [{"vendor": "qdrant", "product": "qdrant", "versions": [{"version": ">= 1.9.3, < 1.16.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:44:13.487Z"}, "descriptions": [{"lang": "en", "value": "Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0."}], "source": {"advisory": "GHSA-f632-vm87-2m2f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T21:10:43.947767Z", "id": "CVE-2026-25628", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T21:11:27.721Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25628", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T21:10:43.947767Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T21:11:16.590Z"}}], "cna": {"title": "Qdrant affected by arbitrary file write via `/logger` endpoint", "source": {"advisory": "GHSA-f632-vm87-2m2f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "qdrant", "product": "qdrant", "versions": [{"status": "affected", "version": ">= 1.9.3, < 1.16.0"}]}], "references": [{"url": "https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f", "name": "https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1", "name": "https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195", "name": "https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:44:13.487Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25628", "state": "PUBLISHED", "dateUpdated": "2026-02-06T21:11:27.721Z", "dateReserved": "2026-02-04T05:15:41.789Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T20:44:13.487Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qdrant:qdrant:*:*:*:*:*:*:*:*", "matchCriteriaId": "56056537-A590-4EC8-8605-91E6624A23A7", "versionEndIncluding": "1.16.0", "versionStartIncluding": "1.9.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0."}], "id": "CVE-2026-25628", "lastModified": "2026-02-19T17:45:58.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-06T21:16:18.083", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:26:26.555320+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s patch to upgrade Qdrant to version 1.16.0 or later, which removes the vulnerable endpoint logic.", "If a patch cannot be applied immediately, restrict network access to the /logger endpoint, for example by blocking the port or configuring a reverse proxy to deny requests to /logger.", "Validate and sanitize file path inputs in any custom or extended API that may use the on_disk.log_file parameter, ensuring paths cannot escape the intended directory (e.g., implement strict whitelist checks or truncate path components)."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "Systems running Qdrant versions from 1.9.3 up to, but not including, 1.16.0 are vulnerable. The affected product is Qdrant, the vector similarity search engine and vector database, across all platforms supported by those releases.", "description_and_impact": "An attacker can append to arbitrary files on the host by exploiting the /logger endpoint in Qdrant. The vulnerability allows the attacker to control the on_disk.log_file path, which is used to write data to disk. This writes sensitive data to or modifies existing files, compromising the integrity of the system and potentially the confidentiality of data stored in those files. The weakness is a classic file path input validation flaw identified as CWE-73.", "risk_and_exploitability": "The CVSS score of 8.6 marks the vulnerability as high severity, while the EPSS of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known large\u2011scale exploitation. An attacker would need to reach the /logger REST endpoint and supply a crafted on_disk.log_file value. Minimal privileges are required (read\u2011only access), so anyone able to perform HTTP requests to the service can exploit the flaw. If the endpoint is exposed publicly, a remote attacker can trigger the write; otherwise an insider or local attacker with network access to the service could do so."}}}}, "created": "2026-02-09T10:50:18.755441+00:00", "updated": "2026-04-17T22:30:29.596685+00:00", "vendors": ["qdrant", "qdrant$PRODUCT$qdrant"]}