CVE-2026-29190
Received Received - Intake
Path Traversal in Karapace Backup Allows Arbitrary File Read

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader (backup/backends/v3/backend.py). If a malicious backup file is provided to Karapace, an attacker may exploit insufficient path validation to perform arbitrary file read on the system where Karapace is running. The issue affects deployments that use the backup/restore functionality and process backups from untrusted sources. The impact depends on the file system permissions of the Karapace process. This issue has been patched in version 6.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29190
EUVD
EUVD-2026-10147
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aiven karapace to 6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29190 is a Path Traversal vulnerability found in Karapace versions prior to 6.0.0, specifically in the backup reader component. This vulnerability arises due to insufficient path validation when processing backup files. If a malicious backup file is provided, an attacker can exploit this flaw to read arbitrary files on the system where Karapace is running.

The vulnerability affects deployments that use the backup and restore functionality and process backups from untrusted sources. The risk depends on the file system permissions of the Karapace process.

This issue has been fixed by removing the vulnerable backup functionality starting from Karapace version 6.0.0.

Impact Analysis

If exploited, this vulnerability allows an attacker to read arbitrary files on the system running Karapace, which could lead to exposure of sensitive information depending on the file system permissions.

The impact is limited to confidentiality as there is no integrity or availability impact. The attacker needs high privileges and no user interaction is required.

The severity is moderate with a CVSS v3.1 base score of 4.1.

  • Exposure of sensitive files if Karapace runs with high privileges.
  • Potential data leakage from backup files originating from untrusted sources.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises when Karapace processes malicious backup files containing path traversal sequences such as "../" or absolute paths. Detection involves inspecting backup files for suspicious path entries and monitoring Karapace\'s backup processing behavior.'}, {'type': 'list_item', 'content': "Check backup archive contents for path traversal patterns by extracting and listing files, for example using: tar -tf backup.tar | grep '\\.\\./' or zipinfo backup.zip | grep '^/'"}, {'type': 'list_item', 'content': 'Monitor Karapace logs for unusual file access or errors related to backup processing.'}, {'type': 'list_item', 'content': 'Verify the Karapace version to ensure it is 6.0.0 or later, which removes the vulnerable backup functionality.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade Karapace to version 6.0.0 or later, which removes the vulnerable backup/restore functionality entirely.'}, {'type': 'list_item', 'content': 'If upgrading is not feasible, only restore backups from trusted sources.'}, {'type': 'list_item', 'content': 'Run Karapace with least-privilege permissions, avoiding root or highly privileged accounts.'}, {'type': 'list_item', 'content': 'Restrict file system access for Karapace, avoiding mounting sensitive host paths.'}, {'type': 'list_item', 'content': 'Pre-validate backup archives to reject any paths containing "../" or absolute paths before processing.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart