CVE-2026-24686
Directory Traversal in go-tuf Multirepo Client Allows Arbitrary File Writes
Publication date: 2026-01-27
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| theupdateframework | go-tuf | From 2.0.0 (inc) to 2.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24686 is a path traversal vulnerability in the go-tuf TAP 4 multirepo client. The client uses the repository name string (repoName) from a TAP 4 map file directly as a filesystem path component to select the local metadata cache directory without sanitizing it. If an attacker controls the map file from an untrusted source, they can supply a repoName containing path traversal sequences (e.g., '../escaped-repo'), causing go-tuf to write metadata files outside the intended cache directory. This can lead to arbitrary file writes within the permissions of the running process, potentially overwriting important files and leading to further system compromise. The vulnerability affects versions from 2.0.0 up to 2.4.0 and is fixed in version 2.4.1. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker who can supply a malicious TAP 4 map file to cause the go-tuf client to write files outside its intended cache directory. This arbitrary file write can overwrite writable files such as configuration files, potentially leading to system compromise depending on the deployment context. The impact includes unauthorized modification of files, which can affect the integrity of the system and may lead to further exploitation. The vulnerability requires that local caching is enabled and that the cache directory is writable by the process. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking for unexpected directory creations or metadata files written outside the intended LocalMetadataDir cache base due to path traversal in repoName. You can inspect filesystem locations where go-tuf caches metadata for directories or files with suspicious names containing traversal sequences like '../'. Additionally, monitoring logs for errors or unusual file writes by the go-tuf process may help. Since the vulnerability involves path traversal in repository names, searching for files or directories created outside the expected cache directory can be done with commands like: 1) find /path/to/cache -type d -name '*..*' 2) find / -name 'root.json' -exec grep -l 'escaped-repo' {} + 3) audit filesystem writes by the go-tuf process using auditd or inotifywait to detect unexpected file creations outside LocalMetadataDir. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade go-tuf to version 2.4.1 or later, where the vulnerability is patched by enforcing strict validation of repository names to prevent path traversal. 2) Treat TAP 4 map files as trusted configuration only, avoiding acceptance of map files from untrusted sources. 3) Validate repository names before use to reject any containing absolute paths, path separators ('/' or '\'), or traversal components ('.' or '..'). 4) Alternatively, disable local caching (set DisableLocalCache=true) to prevent metadata writes to disk. These steps prevent attackers from supplying malicious repoName values that cause directory traversal and arbitrary file writes. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows an attacker to write files outside the intended directory, potentially overwriting configuration files and leading to system compromise, it could indirectly affect compliance by risking unauthorized data access or integrity violations. No direct statements about compliance impact are given. [1, 2]