CVE-2026-32685
Path Traversal in Gleam Documentation Builder
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gleam | gleam | From 1.16.0 (inc) to 1.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary file read and write operations outside the intended documentation directories, which could lead to unauthorized disclosure or modification of sensitive files.
Such unauthorized access or modification of files may impact compliance with data protection regulations like GDPR or HIPAA, as these standards require strict controls over sensitive data access and integrity.
Exploitation requires user interaction and running the documentation build on untrusted projects, but if exploited, it could result in exposure or alteration of protected information, potentially violating regulatory requirements.
Mitigations such as avoiding untrusted projects, reviewing configuration files, and using isolated environments can help reduce the risk and support compliance efforts.
Can you explain this vulnerability to me?
This vulnerability is a path traversal issue in Gleam's documentation build system. It arises because the entries in the documentation.pages section of gleam.toml are incorporated into filesystem paths without sufficient validation. This allows an attacker to read arbitrary files outside the project directory and write files outside the intended documentation output directory by manipulating the path and source fields.
Specifically, the documentation.pages[].path field can be used to write generated documentation files outside the intended docs output directory, and the documentation.pages[].source field can be used to read files outside the project directory and embed their contents into the generated documentation.
An attacker can exploit this by tricking a victim into running the 'gleam docs build' command on a malicious or untrusted project or gleam.toml file, causing local files readable by the victim to be included in documentation artifacts and allowing unauthorized file writes.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to read sensitive local files on your system and include their contents in generated documentation. It also allows writing files outside the intended documentation output directory, potentially overwriting or creating files in unauthorized locations.
The exploitation requires user interaction, such as running the documentation build command on an untrusted project or with malicious configuration, which could lead to disclosure of sensitive information or unintended modification of files.
Mitigations include avoiding running 'gleam docs build' on untrusted projects, carefully reviewing the gleam.toml configuration files, and using isolated environments like containers for documentation generation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves path traversal in Gleam's documentation build system, specifically through the `documentation.pages` entries in gleam.toml. Detection involves reviewing the contents of gleam.toml files used in your projects for suspicious or untrusted entries in the `documentation.pages[].path` and `documentation.pages[].source` fields that could allow file reads or writes outside intended directories.
Since the vulnerability is triggered when running the `gleam docs build` command on a project with malicious or untrusted gleam.toml content, monitoring or auditing usage of this command on untrusted projects can help detect exploitation attempts.
Suggested commands to help detect potential exploitation or suspicious activity include:
- Manually inspect the `gleam.toml` file for unusual or absolute paths in the `documentation.pages` section.
- Use grep or similar tools to find suspicious path entries, for example: `grep -E 'documentation\.pages\[.*\]\.(path|source)' gleam.toml`
- Monitor file system changes outside the expected documentation output directory (e.g., `build/dev/docs/<package>/`) after running `gleam docs build`.
- Check logs or audit trails for execution of `gleam docs build` on untrusted projects.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should avoid running `gleam docs build` on untrusted projects or with untrusted `gleam.toml` content, as exploitation requires user interaction.
Review and validate the `documentation.pages` entries in your `gleam.toml` files to ensure that the `path` and `source` fields do not allow file reads or writes outside the intended directories.
Use isolated environments such as containers or virtual machines to run the documentation build process, limiting the potential impact of any exploitation.
Upgrade Gleam to a version where this vulnerability is patched (after 1.17.0) to benefit from the fixes that enforce strict path validation and prevent directory traversal.