GROWI Software Vulnerable to Path Traversal Attack
AI-generated from multiple sources. Verify before acting on this reporting.
SEOUL, May 11 (AP) — GROWI, Inc. disclosed on Monday that its collaborative software platform contains a critical vulnerability allowing path traversal attacks, potentially exposing sensitive user data to unauthorized access. The company confirmed the security flaw was identified on May 11, 2026, though the specific location of the vulnerability's discovery remains undisclosed.
The path traversal vulnerability enables attackers to bypass file system restrictions and access files outside the intended directory structure. Security researchers who first reported the issue to GROWI have not been publicly named, and the company has not specified whether the vulnerability was exploited in the wild. GROWI stated it is working urgently to develop and deploy a patch for affected systems.
GROWI, a widely used open-source knowledge management tool, allows organizations to create internal wikis and documentation systems. The software is deployed across various sectors including technology, education, and government institutions. The company's announcement came after internal testing revealed the security gap, though details about the testing methodology were not provided.
The vulnerability affects multiple versions of GROWI software, with the company advising all users to update immediately once a fix becomes available. GROWI has not yet released a timeline for the patch deployment, leaving administrators of affected systems in a state of uncertainty regarding their exposure to potential attacks.
Security experts warn that path traversal attacks can lead to data breaches, system compromise, or unauthorized access to sensitive files. The severity of the vulnerability depends on how the software is configured and what data is stored within affected systems. Organizations using GROWI are urged to review their security protocols and consider temporary mitigation measures until an official patch is released.
GROWI, Inc. has not commented on whether any known incidents have occurred as a result of this vulnerability. The company's statement emphasized its commitment to user security and promised regular updates as the situation develops. Technical details about the vulnerability's mechanics have been withheld to prevent potential exploitation while the fix is being developed.
The incident highlights ongoing challenges in securing open-source software platforms that are widely adopted across industries. As GROWI works to resolve the issue, users are left waiting for more information about the scope of the vulnerability and the expected timeline for remediation. The company has not indicated whether additional vulnerabilities were discovered during the investigation.
Questions remain about the origin of the vulnerability report and whether the issue was discovered through automated scanning, manual testing, or other means. GROWI has not specified if the vulnerability was reported by an external researcher or identified internally. The company's response to the security incident will be closely watched by the cybersecurity community as a benchmark for handling similar issues in open-source software.