The vulnerability stems from improper input validation in the name parameter of the snapshot upload endpoint. By URL-encoding directory traversal sequences (../) and appending them to the name parameter, an attacker can escape the intended directory and specify an arbitrary file path for the uploaded file. This can lead to unauthorized file write or overwrite, which could be exploited to achieve remote code execution (RCE) by overwriting critical system files or executables.

An attacker first crafts a request to the vulnerable endpoint, encoding the name parameter to traverse to a target directory (e.g., /root). They then specify a filename and file contents to be uploaded. If the server processes this request, the file is written to the specified location outside the intended directory. This can be leveraged to overwrite critical files or deploy malicious payloads, potentially leading to full system compromise.

Systems running qdrant/qdrant version 1.9.0-dev are vulnerable. This includes servers where the qdrant service is exposed to untrusted networks, potentially allowing remote attackers to exploit this vulnerability.