Relative Path Traversal in MOVEit Transfer (v<=2025.0.6, 2025.1.0-2025.1.2)
CVE-2026-8650 Published on July 8, 2026
Authenticated Path Traversal allows MOVEit admins to view arbitrary system files
Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).
This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
Vulnerability Analysis
Weakness Type
Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Products Associated with CVE-2026-8650
Want to know whenever a new CVE is published for Progress Moveit Transfer? stack.watch will email you.
Affected Versions
Progress MOVEit Transfer:- Version 2025.1.0 and below 2025.1.3 is affected.
- Before 2025.0.7 is affected.