CVE-2026-55677
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
Echo, a Go web framework, has a vulnerability due to a mismatch in URL path decoding between the router and the static file handler. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization.
Risk Assessment
The organization is exposed to unauthorized access to static files that should be protected by routing rules, potentially leading to leakage of sensitive data.
Recommendation
Immediately update the Echo framework to version 4.15.3 or 5.2.0, which contain the fix for this vulnerability.
Original NVD description (English source)
Echo is a Go web framework. Prior to 4.15.3 and 5.2.0, Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization. This vulnerability is fixed in 4.15.3 and 5.2.0.

