CVE-2026-40090
Arbitrary File Write in Zarf Package Inspect Commands
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lfprojects | zarf | From 0.23.0 (inc) to 0.74.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to write arbitrary files to locations within the filesystem accessible by the user running the inspect commands, potentially overwriting critical files such as SSH authorized_keys or cron jobs.
While the vulnerability has a high integrity impact due to the ability to modify or create files, it does not result in confidentiality loss or data exfiltration.
Because it does not expose or leak sensitive data, the vulnerability does not directly violate data protection regulations like GDPR or HIPAA that focus on confidentiality and privacy of personal data.
However, the ability to alter system files could indirectly affect compliance if such modifications lead to unauthorized system behavior or data integrity issues, which may impact regulatory requirements for system security and integrity.
Can you explain this vulnerability to me?
CVE-2026-40090 is a path traversal vulnerability in the Zarf tool, specifically in the "zarf package inspect sbom" and "zarf package inspect documentation" subcommands. These commands generate output file paths by combining a user-supplied output directory with the package's Metadata.Name field, which is read from an untrusted package's zarf.yaml manifest.
Although Metadata.Name is initially validated against a regex during package creation, an attacker can modify the unarchived package to change Metadata.Name to include path traversal sequences (like "../../etc/cron.d/malicious") or absolute paths (like "/home/user/.ssh/authorized_keys"). This allows the attacker to write arbitrary files to locations on the filesystem where the user running the inspect command has permission.
The vulnerability requires user interaction (running the inspect commands) but no special privileges for the attacker. It affects versions from 0.23.0 up to but not including 0.74.2 and has been fixed in version 0.74.2.
How can this vulnerability impact me? :
This vulnerability allows an attacker to write arbitrary files to locations on the filesystem within the permissions of the user running the vulnerable commands. This can lead to high integrity impact because the attacker can overwrite or create files such as SSH authorized_keys, cron jobs, or shell profiles.
While there is no loss of confidentiality, the attacker can compromise system integrity and potentially affect availability by overwriting critical system files, although availability impact is considered low.
The attack complexity is low, and no special privileges are required, but user interaction is necessary since the user must run the inspect commands on a maliciously crafted package.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if you are running vulnerable versions of Zarf (versions 0.23.0 through 0.74.1) and by inspecting packages using the vulnerable subcommands.
Specifically, the vulnerability exists in the commands: `zarf package inspect sbom` and `zarf package inspect documentation`.
To detect exploitation attempts or presence of malicious files, you can look for unexpected files written outside the intended output directory, especially files with suspicious paths such as those containing path traversal sequences (e.g., ../../etc/cron.d/malicious) or absolute paths (e.g., /home/user/.ssh/authorized_keys).
Suggested commands to check for suspicious files or artifacts might include:
- Use `find` to locate recently modified files outside expected directories, for example: `find /path/to/output -type f -mtime -7` to find files modified in the last 7 days.
- Search for suspicious files in common sensitive locations, e.g., `ls -l /etc/cron.d/` or `cat /home/user/.ssh/authorized_keys` to check for unauthorized modifications.
- Audit usage logs or command history for executions of `zarf package inspect sbom` or `zarf package inspect documentation` commands.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Zarf to version 0.74.2 or later, where the vulnerability has been fixed by sanitizing the package name to prevent path traversal.
Until you can upgrade, avoid inspecting untrusted or unsigned packages using the vulnerable subcommands (`zarf package inspect sbom` and `zarf package inspect documentation`).
Review and remove any suspicious files that may have been written by exploitation of this vulnerability.
Consider restricting permissions of users running the inspect commands to limit potential damage from arbitrary file writes.