CVE-2026-32146
Path Traversal in Gleam Compiler Git Dependency Causes Data Loss
Publication date: 2026-04-11
Last updated on: 2026-04-14
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gleam_lang | gleam | From 1.9.0-rc1 (inc) to 1.15.3 (inc) |
| gleam_lang | gleam | to 1.16.0-rc1 (inc) |
| gleam | gleam | From 1.9.0-rc1 (inc) to 1.16.0-rc1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32146 is an improper path validation vulnerability in the Gleam compiler's handling of git dependencies. It occurs because dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory.
This allows attacker-controlled paths using relative traversal sequences (like ../) or absolute paths to escape the designated directory. During git dependency resolution (for example, when running gleam deps download), these paths are used for filesystem operations such as directory deletion and creation.
As a result, a malicious direct or transitive git dependency can delete or overwrite files and directories outside the intended dependency directory, potentially causing data loss. In some cases, this can be escalated to code execution by overwriting executable files such as git hooks or shell configuration files.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary file system modification outside the intended dependency directory during the dependency download phase. An attacker controlling a malicious git dependency can delete or overwrite files anywhere the user running the command has permission.
Potential impacts include data loss from deletion or overwriting of important files and directories, disruption of development workflows, and in some environments, the possibility of code execution by placing malicious files in executable locations such as .git/hooks or shell configuration files.
Exploitation requires user interaction (running the dependency download command) but no special privileges, making it a significant risk especially when using untrusted or unpinned git dependencies.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs during the dependency resolution and download phase when running commands like `gleam deps download`. Detection involves monitoring or inspecting the dependency names in your `gleam.toml` and `manifest.toml` files for suspicious or malformed paths that include relative traversal sequences (e.g., `../`) or absolute paths that escape the intended dependency directory.
You can detect potential exploitation by reviewing your dependency tree, especially git dependencies, for untrusted or unexpected sources and by checking for unusual filesystem modifications outside the expected dependency directories after running dependency resolution commands.
Suggested commands include:
- Manually inspect `gleam.toml` and `manifest.toml` files for dependency names containing path traversal patterns like `../` or absolute paths.
- Run `gleam deps download` in a controlled environment and monitor filesystem changes outside the dependency directory using tools like `inotifywait` (Linux) or `fswatch` (macOS).
- Use `git log` or other version control commands to check for unexpected changes in `.git/hooks` or shell configuration files that could indicate exploitation.
- Audit your dependency tree with commands or scripts that list all git dependencies and verify their sources and commit SHAs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of untrusted git dependencies, especially those not pinned to specific commit SHAs.
Carefully review your dependency tree, including transitive git dependencies, to ensure all dependencies come from trusted sources.
Run dependency resolution commands such as `gleam deps download` in isolated or restricted environments, like containers or sandboxes, to limit potential filesystem impact.
Upgrade Gleam to version 1.15.3 or later, where patches addressing this vulnerability have been applied, enforcing strict validation of dependency names and preventing path traversal.
Validate your `gleam.toml` and `manifest.toml` files to ensure dependency names conform to the expected naming conventions (only lowercase letters, numbers, and underscores, starting with a lowercase letter) to prevent malformed or malicious dependency names.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary file system modification outside the intended dependency directory during git dependency resolution in Gleam. This can lead to deletion or overwriting of files, potentially causing data loss and unauthorized code execution.
Such unauthorized modification and potential data loss can impact the confidentiality, integrity, and availability of systems and data, which are core principles in common standards and regulations like GDPR and HIPAA.
If exploited in environments handling sensitive personal or health data, this vulnerability could lead to non-compliance with these regulations due to failure to adequately protect data and system integrity.
Mitigation involves avoiding untrusted git dependencies, pinning dependencies to specific commit SHAs, reviewing dependency trees carefully, and running dependency resolution in isolated or restricted environments to reduce risk.