CVE-2026-54557
Received Received - Intake
mise Symlink Path Traversal via Raw Version String

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-54557
EUVD
EUVD-2026-39814
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-54557 vulnerability in the mise HTTP backend occurs because it uses the raw version string to build symlink destinations instead of sanitized paths. This flaw allows an attacker to create symbolic links outside the intended installation directory by providing a specially crafted version string that can be an absolute path. On Unix-like systems, this causes the symlink to be created in arbitrary locations outside the mise install tree.

Specifically, a repository-controlled .tool-versions file can exploit this behavior to place symlinks in attacker-controlled directories. This can lead to placing executable symlinks under attacker-selected absolute prefixes, such as developer-tool prefixes that might later be added to the system PATH.

This vulnerability was fixed in mise version 2026.6.1 by ensuring that sanitized version paths are used for symlink creation, preventing symlinks from being created outside the designated installation directories.

Impact Analysis

This vulnerability can impact you by allowing unauthorized creation of symbolic links outside the intended installation directory. This can lead to unauthorized file system modifications.

An attacker could place executable symlinks in directories that are later included in your system's PATH environment variable, potentially enabling execution of malicious code when those symlinks are invoked.

Overall, this can compromise system integrity and security by allowing code execution through manipulated symlinks.

Detection Guidance

This vulnerability involves the creation of symlinks outside the intended mise install directory due to improper handling of version paths in the HTTP backend. Detection would involve checking for unexpected or unauthorized symlinks created by mise, especially those located outside the normal installation directories.

You can inspect the filesystem for symlinks created by mise that point outside the expected install tree. For example, on Unix-like systems, you might use commands like:

  • find /path/to/mise/install -type l -exec ls -l {} + | grep -v '/path/to/mise/install'
  • find / -type l -user mise_user -exec ls -l {} + # if mise runs under a specific user
  • Check the .tool-versions file in repositories for absolute paths that could trigger this issue.
Mitigation Strategies

The primary mitigation is to upgrade mise to version 2026.6.1 or later, where the vulnerability has been fixed by sanitizing version paths used for symlink creation.

Until the upgrade can be applied, avoid using untrusted or repository-controlled .tool-versions files that specify absolute paths, as these can be exploited to create symlinks outside the intended directories.

Additionally, monitor and restrict permissions on directories where mise installs tools to prevent unauthorized symlink creation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54557. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart