CVE-2026-34726
Directory Traversal in Copier Template Root Allows Unauthorized File Access
Publication date: 2026-04-02
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| copier-org | copier | to 9.14.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Copier involves its handling of the `_subdirectory` setting, which is intended to specify a subdirectory within a template root. Prior to version 9.14.1, Copier allowed the use of parent-directory traversal sequences like `..` in the `_subdirectory` path. This meant that a template could escape its own directory and access or render files from parent directories without requiring the `--UNSAFE` flag.
Technically, the issue was that the `_subdirectory` path was concatenated with the template's local absolute path without proper validation, allowing directory traversal outside the intended template root. This could lead to unauthorized access to files outside the template scope.
The vulnerability was fixed by enforcing that the resolved `_subdirectory` path must be within the template root directory. If the path escapes this root, Copier raises a `ForbiddenPathError` and blocks the operation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a template to escape its own directory and render files from the parent directory without explicit unsafe flags, potentially leading to unauthorized access to files outside the intended template scope.
Such unauthorized file access could lead to exposure of sensitive or regulated data, which may impact compliance with standards like GDPR or HIPAA that require strict control over data access and protection.
However, the provided information does not explicitly discuss compliance implications or specific impacts on regulatory standards.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a template to access and render files outside its designated directory. This means that sensitive or unauthorized files located in parent directories could be exposed or included unintentionally during template rendering.
Such unauthorized file access could lead to information disclosure or leakage of confidential data, potentially compromising the security of your projects or systems that use Copier for templating.
The vulnerability requires user interaction (UI:R) and local access (AV:L), but it can still lead to low-level confidentiality and integrity impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the use of the `_subdirectory` setting in Copier templates allowing directory traversal outside the intended template root. Detection involves checking Copier template configurations for `_subdirectory` values that include parent-directory traversal patterns such as ".." or absolute paths outside the template root.
Since the vulnerability is related to path traversal in template configurations, you can detect it by inspecting the Copier project templates for unsafe `_subdirectory` values.
- Manually review `copier.yml` or equivalent template configuration files for `_subdirectory` entries containing ".." or absolute paths.
- Use command-line tools to search for suspicious `_subdirectory` values, for example:
- grep -r '_subdirectory: ..' /path/to/copier/templates
- grep -r '_subdirectory:' /path/to/copier/templates | grep '\.\.'
Additionally, monitoring Copier logs or error messages for `ForbiddenPathError` exceptions can help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Copier to version 9.14.1 or later, where this vulnerability has been patched.
The patch enforces that the `_subdirectory` path must reside within the template root directory and raises an error if it attempts to escape it.
- Upgrade Copier to version 9.14.1 or newer.
- Review and sanitize all `_subdirectory` settings in your Copier templates to ensure they do not contain parent-directory traversal or absolute paths outside the template root.
- Avoid using the `--UNSAFE` flag when rendering templates, as it bypasses safety checks.
These steps will prevent unauthorized file access outside the intended template directory and mitigate the risk posed by this vulnerability.