CVE-2026-34730
Received Received - Intake
Arbitrary File Read in Copier _external_data Allows Data Exposure

Publication date: 2026-04-02

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
copier-org copier to 9.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Copier's `_external_data` feature allows templates to load YAML files using paths controlled by the template. Due to insufficient path validation, a malicious template can perform path traversal or use absolute paths to read arbitrary local files accessible to the user running Copier. This means that files outside the intended project directory can be read and their contents exposed in the rendered output.

Specifically, the function responsible for loading these files does not verify that the resolved file path stays within the project directory, unlike other Copier operations that block such escapes. This flaw enables unauthorized disclosure of local files without requiring elevated privileges, only some user interaction.

The issue was fixed in Copier version 9.14.1 by adding checks that prevent reading files outside the project directory unless the user explicitly opts in with unsafe flags.

Compliance Impact

The vulnerability in Copier prior to version 9.14.1 allows unauthorized reading of local files accessible to the user running Copier, potentially exposing sensitive information contained in those files. This results in a high confidentiality loss, which could impact compliance with data protection standards and regulations such as GDPR and HIPAA that require safeguarding sensitive and personal data against unauthorized disclosure.

Since the vulnerability enables local file disclosure without integrity or availability impact, organizations using Copier in environments subject to these regulations should consider the risk of sensitive data exposure through malicious templates. The fix in version 9.14.1 enforces path containment checks and requires explicit user consent to access files outside the intended directory, thereby mitigating unauthorized data exposure and improving compliance posture.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive local files that the user running Copier has access to. A malicious template can read and expose confidential information such as secrets, configuration files, or other YAML/JSON/plain-text files by including them in the rendered output.

The impact is primarily on confidentiality, with no effect on integrity or availability. The attack requires local access and some user interaction but no special privileges.

Therefore, if you use Copier with untrusted templates, your sensitive local data could be exposed unintentionally.

Detection Guidance

This vulnerability involves the Copier tool's `_external_data` feature allowing templates to read arbitrary local files via path traversal or absolute paths. Detection involves checking if Copier templates in use specify `_external_data` keys with paths that escape the intended subproject directory.

You can inspect templates for suspicious `_external_data` entries such as relative paths with `..` (e.g., `../secret.yml`) or absolute paths (e.g., `/etc/passwd`).

Since the vulnerability manifests when rendering templates, monitoring Copier runs for unexpected file reads or rendered output containing sensitive file contents can help detect exploitation.

Suggested commands include searching template files for `_external_data` usage with path traversal patterns:

  • grep -r '_external_data' /path/to/templates | grep '\.\./'
  • grep -r '_external_data' /path/to/templates | grep '^\s*\/.*'

Additionally, you can run Copier in a controlled environment with debugging or verbose logging enabled to observe if any external files outside the subproject root are accessed during template rendering.

Mitigation Strategies

The primary mitigation is to upgrade Copier to version 9.14.1 or later, where the vulnerability is fixed by enforcing path checks on `_external_data` entries.

If upgrading immediately is not possible, avoid using untrusted templates that specify `_external_data` paths, especially those that may include relative paths with `..` or absolute paths.

Run Copier with the `--trust` or `--UNSAFE` flags only if you explicitly trust the templates, as these flags allow external data loading outside the subproject root.

Review and audit templates to ensure they do not attempt to load external data from outside the intended directory.

Consider restricting file system permissions of the user running Copier to limit access to sensitive files that could be read via this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34730. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart