CVE-2026-29190
Path Traversal in Karapace Backup Allows Arbitrary File Read
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiven | karapace | to 6.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29190 is a Path Traversal vulnerability found in Karapace versions prior to 6.0.0, specifically in the backup reader component. This vulnerability arises due to insufficient path validation when processing backup files. If a malicious backup file is provided, an attacker can exploit this flaw to read arbitrary files on the system where Karapace is running.
The vulnerability affects deployments that use the backup and restore functionality and process backups from untrusted sources. The risk depends on the file system permissions of the Karapace process.
This issue has been fixed by removing the vulnerable backup functionality starting from Karapace version 6.0.0.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to read arbitrary files on the system running Karapace, which could lead to exposure of sensitive information depending on the file system permissions.
The impact is limited to confidentiality as there is no integrity or availability impact. The attacker needs high privileges and no user interaction is required.
The severity is moderate with a CVSS v3.1 base score of 4.1.
- Exposure of sensitive files if Karapace runs with high privileges.
- Potential data leakage from backup files originating from untrusted sources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises when Karapace processes malicious backup files containing path traversal sequences such as "../" or absolute paths. Detection involves inspecting backup files for suspicious path entries and monitoring Karapace\'s backup processing behavior.'}, {'type': 'list_item', 'content': "Check backup archive contents for path traversal patterns by extracting and listing files, for example using: tar -tf backup.tar | grep '\\.\\./' or zipinfo backup.zip | grep '^/'"}, {'type': 'list_item', 'content': 'Monitor Karapace logs for unusual file access or errors related to backup processing.'}, {'type': 'list_item', 'content': 'Verify the Karapace version to ensure it is 6.0.0 or later, which removes the vulnerable backup functionality.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade Karapace to version 6.0.0 or later, which removes the vulnerable backup/restore functionality entirely.'}, {'type': 'list_item', 'content': 'If upgrading is not feasible, only restore backups from trusted sources.'}, {'type': 'list_item', 'content': 'Run Karapace with least-privilege permissions, avoiding root or highly privileged accounts.'}, {'type': 'list_item', 'content': 'Restrict file system access for Karapace, avoiding mounting sensitive host paths.'}, {'type': 'list_item', 'content': 'Pre-validate backup archives to reject any paths containing "../" or absolute paths before processing.'}] [1]