CVE-2026-42795
Deferred Deferred - Pending Action
Symlink Following in Gleam Hex Package Export

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: EEF

Description
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package. An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact. This issue affects Gleam from 0.10.0-rc1 until 1.17.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-42795
EUVD
EUVD-2026-33928
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gleam gleam From 0.10.0-rc1 (inc) to 1.17.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows sensitive files such as secrets, tokens, or SSH keys to be silently embedded into published package artifacts if an attacker with write access places a symlink pointing outside the project root. This exposure of sensitive information can lead to non-compliance with data protection regulations and standards that require safeguarding confidential data.

Specifically, the high impact on confidentiality caused by this vulnerability could violate requirements under regulations like GDPR and HIPAA, which mandate strict controls over the handling and disclosure of sensitive information.

Mitigations such as reviewing directories for unexpected symlinks before publishing and using isolated environments for publishing are recommended to reduce the risk of accidental data exposure and help maintain compliance.

Executive Summary

CVE-2026-42795 is a symlink following vulnerability in the Gleam programming language's Hex package export functionality. The issue arises because the file collection helpers in Gleam use a method that follows symbolic links when gathering files from publishable directories such as src/ and priv/. However, the system does not verify whether the resolved symlink targets remain within the project root directory.

An attacker with write access to the project repository can create a symlink inside these directories that points to arbitrary files outside the project, such as sensitive system files. When a maintainer or CI pipeline runs commands like gleam publish or gleam export hex-tarball, the contents of these external files are silently embedded into the generated package tarball, potentially exposing sensitive information.

Impact Analysis

This vulnerability can lead to the unintended inclusion and exposure of sensitive files in published Gleam packages. If an attacker places a malicious symlink in the project, files such as secrets, tokens, or SSH keys that are readable by the publisher can be embedded into the package artifact without detection.

As a result, sensitive information may be leaked to anyone who downloads or inspects the published package, compromising confidentiality and potentially leading to further security breaches.

Detection Guidance

This vulnerability can be detected by reviewing the publishable directories such as src/ and priv/ in your Gleam project for unexpected symbolic links that point outside the project root directory.

A practical approach is to list all symlinks within these directories and verify their targets. For example, you can use the following command in a Unix-like system to find symlinks and their targets:

  • find src/ priv/ -type l -exec ls -l {} +

This command lists all symbolic links under src/ and priv/ along with their target paths. You should check if any of these targets point outside the project root or to sensitive files.

Additionally, inspecting the contents of the generated package tarball for unexpected files can help detect exploitation. Extract the tarball and look for files that should not be included, especially those outside the project scope.

Mitigation Strategies

Immediate mitigation steps include reviewing the src/ and priv/ directories in your Gleam project for any unexpected or malicious symbolic links before running publishing commands.

Remove or correct any symlinks that point outside the project root to prevent sensitive files from being included in the package.

Run publishing commands such as gleam publish or gleam export hex-tarball in isolated or restricted environments, like containers, that do not have access to sensitive files on the host system.

Upgrade Gleam to version 1.17.0 or later, where this vulnerability has been patched by adding path validation to ensure only files within the project root are included in the package.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42795. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart