Executive Summary

CVE-2026-24686 is a path traversal vulnerability in the go-tuf TAP 4 multirepo client. The client uses the repository name string (repoName) from a TAP 4 map file directly as a filesystem path component to select the local metadata cache directory without sanitizing it. If an attacker controls the map file from an untrusted source, they can supply a repoName containing path traversal sequences (e.g., '../escaped-repo'), causing go-tuf to write metadata files outside the intended cache directory. This can lead to arbitrary file writes within the permissions of the running process, potentially overwriting important files and leading to further system compromise. The vulnerability affects versions from 2.0.0 up to 2.4.0 and is fixed in version 2.4.1. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker who can supply a malicious TAP 4 map file to cause the go-tuf client to write files outside its intended cache directory. This arbitrary file write can overwrite writable files such as configuration files, potentially leading to system compromise depending on the deployment context. The impact includes unauthorized modification of files, which can affect the integrity of the system and may lead to further exploitation. The vulnerability requires that local caching is enabled and that the cache directory is writable by the process. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection involves checking for unexpected directory creations or metadata files written outside the intended LocalMetadataDir cache base due to path traversal in repoName. You can inspect filesystem locations where go-tuf caches metadata for directories or files with suspicious names containing traversal sequences like '../'. Additionally, monitoring logs for errors or unusual file writes by the go-tuf process may help. Since the vulnerability involves path traversal in repository names, searching for files or directories created outside the expected cache directory can be done with commands like: 1) find /path/to/cache -type d -name '*..*' 2) find / -name 'root.json' -exec grep -l 'escaped-repo' {} + 3) audit filesystem writes by the go-tuf process using auditd or inotifywait to detect unexpected file creations outside LocalMetadataDir. However, no explicit detection commands are provided in the resources. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrade go-tuf to version 2.4.1 or later, where the vulnerability is patched by enforcing strict validation of repository names to prevent path traversal. 2) Treat TAP 4 map files as trusted configuration only, avoiding acceptance of map files from untrusted sources. 3) Validate repository names before use to reject any containing absolute paths, path separators ('/' or '\'), or traversal components ('.' or '..'). 4) Alternatively, disable local caching (set DisableLocalCache=true) to prevent metadata writes to disk. These steps prevent attackers from supplying malicious repoName values that cause directory traversal and arbitrary file writes. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows an attacker to write files outside the intended directory, potentially overwriting configuration files and leading to system compromise, it could indirectly affect compliance by risking unauthorized data access or integrity violations. No direct statements about compliance impact are given. [1, 2]

Useful 0 Not Useful 0