OctoPrint File Exfiltration via FILE_UPLOAD Permission (CVE-2025-XXXX)

A vulnerability in OctoPrint versions up to 1.11.7, 2.0.0rc1, and 2.0.0rc2 allows attackers with FILE_UPLOAD permission to exfiltrate files by moving them into the upload folder. The fix in 1.11.2 was incomplete. Patched in 1.11.8 and 2.0.0rc3.

OctoPrint instances running versions <=1.11.7, 2.0.0rc1, or 2.0.0rc2 where users have FILE_UPLOAD permission.

Upgrade to OctoPrint 1.11.8 or 2.0.0rc3 immediately.