← Signals
- dalfox
- xss
- rce
- cve-2026-45087
- go
news
Dalfox Found-Action Deserialization RCE (CVE-2026-45087)
dalfox server mode POST /scan accepts FoundAction/FoundActionShell in JSON — unauthenticated RCE on 0.0.0.0:6664 when no --api-key.
Summary
CVE-2026-45087 is a critical (CVSS 10.0) unauthenticated command execution flaw in Dalfox < 2.13.0 when run as dalfox server. POST /scan deserializes attacker model.Options, including FoundAction and FoundActionShell; foundAction() runs exec.Command(shell, "-c", cmd) whenever any finding fires. Rapid7's Metasploit module exploit/linux/http/dalfox_server_rce_cve_2026_45087 weaponizes this path.
Key Findings
| Finding | Detail |
|---|---|
| CVE | CVE-2026-45087 |
| Mode | REST API server only (dalfox server) |
| Default bind | 0.0.0.0:6664 without --api-key |
| Weakness | CWE-15 — external control of execution options via JSON |
| Fixed version | 2.13.0 (strips FoundAction fields from API input) |
Attack Chain
POST /scan { "url": "http://attacker/reflect", "options": { "found-action": "id", "found-action-shell": "/bin/sh" } }
↓
Dalfox scans → finds reflected XSS on attacker URL
↓
foundAction() executes attacker command as dalfox process user
Impact
Internet-exposed Dalfox servers become full-compromise hosts — common misuse includes leaving scanner daemons on CI or bug-bounty VPS images.
Mitigation
- Upgrade to Dalfox 2.13.0+.
- Never expose
dalfox serverpublicly; bind127.0.0.1and require--api-key. - Hunt for
POST /scanwithfound-action/found-action-shellin HTTP logs.