{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24686", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T20:40:23.389Z", "datePublished": "2026-01-27T00:45:43.422Z", "dateUpdated": "2026-01-27T14:40:01.511Z"}, "containers": {"cna": {"title": "go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4"}, {"name": "https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0", "tags": ["x_refsource_MISC"], "url": "https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0"}], "affected": [{"vendor": "theupdateframework", "product": "go-tuf", "versions": [{"version": ">= 2.0.0, < 2.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T00:45:43.422Z"}, "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch."}], "source": {"advisory": "GHSA-jqc5-w2xx-5vq4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T14:39:18.006561Z", "id": "CVE-2026-24686", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T14:40:01.511Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24686", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T14:39:18.006561Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T14:39:48.632Z"}}], "cna": {"title": "go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names", "source": {"advisory": "GHSA-jqc5-w2xx-5vq4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "theupdateframework", "product": "go-tuf", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.4.1"}]}], "references": [{"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4", "name": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0", "name": "https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T00:45:43.422Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24686", "state": "PUBLISHED", "dateUpdated": "2026-01-27T14:40:01.511Z", "dateReserved": "2026-01-23T20:40:23.389Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T00:45:43.422Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*", "matchCriteriaId": "18AEE62D-019F-48BA-ADF7-C7F5C1C72E9E", "versionEndExcluding": "2.4.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch."}], "id": "CVE-2026-24686", "lastModified": "2026-02-24T19:08:46.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T01:16:02.790", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/theupdateframework/go-tuf/v2: go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names", "id": "2433138", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433138"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-24686", "package_state": [{"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-chains-controller-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-cli-tkn-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-opc-rhel9", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-rhel9-operator", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/client-server-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/cosign-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/gitsign-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/policy-controller-operator-bundle", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/policy-controller-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/policy-controller-rhel9-operator", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/rhtas-console-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:openshift_security_profiles_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-security-profiles-operator-bundle", "product_name": "Security Profiles Operator"}, {"cpe": "cpe:/a:redhat:openshift_security_profiles_operator:1", "fix_state": "Fix deferred", "package_name": "compliance/openshift-security-profiles-rhel8-operator", "product_name": "Security Profiles Operator"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:1", "fix_state": "Fix deferred", "package_name": "zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9", "product_name": "Zero Trust Workload Identity Manager"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:1", "fix_state": "Fix deferred", "package_name": "zero-trust-workload-identity-manager/spiffe-spire-oidc-discovery-provider-rhel9", "product_name": "Zero Trust Workload Identity Manager"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:1", "fix_state": "Fix deferred", "package_name": "zero-trust-workload-identity-manager/spiffe-spire-server-rhel9", "product_name": "Zero Trust Workload Identity Manager"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:0", "fix_state": "Fix deferred", "package_name": "zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9", "product_name": "Zero Trust Workload Identity Manager - Tech Preview"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:0", "fix_state": "Fix deferred", "package_name": "zero-trust-workload-identity-manager/spiffe-spire-oidc-discovery-provider-rhel9", "product_name": "Zero Trust Workload Identity Manager - Tech Preview"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:0", "fix_state": "Fix deferred", "package_name": "zero-trust-workload-identity-manager/spiffe-spire-server-rhel9", "product_name": "Zero Trust Workload Identity Manager - Tech Preview"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:0", "fix_state": "Fix deferred", "package_name": "zero-trust-workload-identity-manager/zero-trust-workload-identity-manager-operator-bundle", "product_name": "Zero Trust Workload Identity Manager - Tech Preview"}, {"cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:0", "fix_state": "Fix deferred", "package_name": "zero-trust-workload-identity-manager/zero-trust-workload-identity-manager-rhel9", "product_name": "Zero Trust Workload Identity Manager - Tech Preview"}], "public_date": "2026-01-27T00:45:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24686\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24686\nhttps://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0\nhttps://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T02:30:32.289102+00:00", "value": {"mitigation_remediation": ["Upgrade the go\u2011tuf library to 2.4.1 or later, where the vulnerability is patched. ", "Validate or restrict map files obtained from external sources so that only trusted repositories are processed by TAP\u00a04. Multirepo Client. ", "Sanitize or reject repository names that contain path\u2011traversal characters before passing them to the library."], "summary": {"action": "Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The Update Framework (go\u2011tuf) is affected. Vulnerable versions start at 2.0.0 and are fixed in version 2.4.1. Any installation of go\u2011tuf between these releases that accepts map files from untrusted sources is at risk.", "description_and_impact": "A path\u2011traversal flaw in the TAP 4 Multirepo Client of the go\u2011tuf library lets an attacker supply a repository name containing directory traversal sequences such as \"../escaped-repo\". When the library processes such a name it treats it as a filesystem path component and writes the root metadata file outside the intended LocalMetadataDir cache base, creating arbitrary files with the process\u2019s permissions. This can compromise local files and, if executed with elevated privileges, lead to privilege escalation or code execution.", "risk_and_exploitability": "The CVSS score of 4.7 indicates moderate severity, but the EPSS score of less than 1\u202f% signals a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need to supply a malicious map file to the application or otherwise control the repoName value; thus the attack vector is contingent on the application\u2019s trust model, ranging from local to remote depending on how map files are obtained."}}}}, "created": "2026-01-27T09:02:59.759826+00:00", "updated": "2026-04-18T02:45:27.273348+00:00", "vendors": ["theupdateframework", "theupdateframework$PRODUCT$go-tuf"]}