diff --git a/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/src/main/java/org/wso2/carbon/mediation/artifactuploader/SynapseArtifactUploaderAdmin.java b/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/src/main/java/org/wso2/carbon/mediation/artifactuploader/SynapseArtifactUploaderAdmin.java
index d932fa9d506..71197f01ba3 100644
--- a/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/src/main/java/org/wso2/carbon/mediation/artifactuploader/SynapseArtifactUploaderAdmin.java
+++ b/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/src/main/java/org/wso2/carbon/mediation/artifactuploader/SynapseArtifactUploaderAdmin.java
@@ -20,6 +20,7 @@
 public class SynapseArtifactUploaderAdmin extends AbstractAdmin {
 
     private static final Log log = LogFactory.getLog(SynapseArtifactUploaderAdmin.class);
+    private static final String XML_EXTENSION = "xml";
 
     public boolean uploadArtifact(String fileName, DataHandler dataHandler) throws AxisFault {
 
@@ -27,7 +28,17 @@ public boolean uploadArtifact(String fileName, DataHandler dataHandler) throws A
         File tempDir = new File(CarbonUtils.getCarbonHome() + File.separator + "tmp");
         File destinationTempFile = new File(tempDir, fileName);
         FileOutputStream fos = null;
+
+        String fileExtension = SynapseArtifactUploaderUtil.getFileExtension(fileName);
+        if (!XML_EXTENSION.equals(fileExtension)) {
+            throw new AxisFault("Invalid file type: " + fileExtension);
+        }
+
         try {
+            if (!SynapseArtifactUploaderUtil.validateFilePath(destinationTempFile, tempDir)) {
+                throw new AxisFault("Attempt to upload " + destinationTempFile + ". File path is " +
+                        "outside target directory");
+            }
             fos = FileUtils.openOutputStream(destinationTempFile);
             dataHandler.writeTo(fos);
         } catch (IOException e) {
@@ -56,6 +67,17 @@ public String[] getArtifacts() {
     }
 
     public boolean removeArtifact(String fileName) throws AxisFault {
+        File destinationFile = new File(getExtensionRepoPath() + File.separator + fileName);
+        File artifactDir = new File(getExtensionRepoPath());
+        try {
+            if (!SynapseArtifactUploaderUtil.validateFilePath(destinationFile, artifactDir)) {
+                throw new AxisFault("Attempt to delete " + destinationFile + ". File path is " +
+                        "outside target directory");
+            }
+        } catch (IOException e) {
+            handleException("File Delete failed", e);
+        }
+
         File artifactFile = new File(getExtensionRepoPath() + File.separator + fileName);
 
         if (artifactFile.exists() && artifactFile.isFile()) {
diff --git a/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/src/main/java/org/wso2/carbon/mediation/artifactuploader/util/SynapseArtifactUploaderUtil.java b/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/src/main/java/org/wso2/carbon/mediation/artifactuploader/util/SynapseArtifactUploaderUtil.java
index 06580ac1f81..99ca088829f 100644
--- a/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/src/main/java/org/wso2/carbon/mediation/artifactuploader/util/SynapseArtifactUploaderUtil.java
+++ b/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/src/main/java/org/wso2/carbon/mediation/artifactuploader/util/SynapseArtifactUploaderUtil.java
@@ -1,6 +1,7 @@
 package org.wso2.carbon.mediation.artifactuploader.util;
 
 import java.io.File;
+import java.io.IOException;
 import java.util.ArrayList;
 
 /**
@@ -31,4 +32,29 @@ public static String[] getArtifacts(String extensionsPath) {
         return artifactList;
     }
 
+    /**
+     * Finds the extension of a given file
+     *
+     * @param fileName - name of the file
+     * @return - extension
+     */
+    public static String getFileExtension(String fileName) {
+        int index = fileName.lastIndexOf('.');
+        return fileName.substring(index + 1);
+    }
+
+    /**
+     * Validates whether the destinationFile is copied to the target directory
+     *
+     * @param destinationFile - file to be uploaded or removed
+     * @param targetDirectory - target directory
+     * @return true if the destination file is copied to the target directory
+     * @throws IOException
+     */
+    public static boolean validateFilePath(File destinationFile, File targetDirectory) throws IOException {
+        String canonicalPathToFile = destinationFile.getCanonicalPath();
+        String canonicalPathToArtifactDir = targetDirectory.getCanonicalPath();
+        return canonicalPathToFile.startsWith(canonicalPathToArtifactDir);
+    }
+
 }