CVE Catalog

CVE-2026-55677

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

Echo, a Go web framework, has a vulnerability due to a mismatch in URL path decoding between the router and the static file handler. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization.

Risk Assessment

The organization is exposed to unauthorized access to static files that should be protected by routing rules, potentially leading to leakage of sensitive data.

Recommendation

Immediately update the Echo framework to version 4.15.3 or 5.2.0, which contain the fix for this vulnerability.

Original NVD description (English source)

Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization. This vulnerability is fixed in 4.15.3 and 5.2.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS