{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29050", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.243Z", "datePublished": "2026-04-23T23:58:39.668Z", "dateUpdated": "2026-04-25T01:38:30.604Z"}, "containers": {"cna": {"title": "melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-98f2-w9h9-7fp9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-98f2-w9h9-7fp9"}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"version": ">= 0.32.0, < 0.43.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T23:58:39.668Z"}, "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file \u2014 for example through pull-request-driven CI or build-as-a-service scenarios \u2014 could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compile.go` passed `uses` directly to `filepath.Join(pipelineDir, uses + \".yaml\")` without validating the value, so the resolved path could escape each `--pipeline-dir` and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its `runs:` block is executed via `/bin/sh -c` in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition. The issue is fixed in melange v0.43.4 via commit 5829ca4. The fix rejects `uses` values that are absolute paths or contain `..`, and verifies (via `filepath.Rel` after `filepath.Clean`) that the resolved target remains within the pipeline directory. As a workaround, only run `melange build` against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of `pipeline[].uses` values and reject any containing `..` or leading `/`."}], "source": {"advisory": "GHSA-98f2-w9h9-7fp9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:38:21.243220Z", "id": "CVE-2026-29050", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:38:30.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29050", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-25T01:38:21.243220Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:38:26.953Z"}}], "cna": {"title": "melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses", "source": {"advisory": "GHSA-98f2-w9h9-7fp9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chainguard-dev", "product": "melange", "versions": [{"status": "affected", "version": ">= 0.32.0, < 0.43.4"}]}], "references": [{"url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-98f2-w9h9-7fp9", "name": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-98f2-w9h9-7fp9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file \u2014 for example through pull-request-driven CI or build-as-a-service scenarios \u2014 could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compile.go` passed `uses` directly to `filepath.Join(pipelineDir, uses + \".yaml\")` without validating the value, so the resolved path could escape each `--pipeline-dir` and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its `runs:` block is executed via `/bin/sh -c` in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition. The issue is fixed in melange v0.43.4 via commit 5829ca4. The fix rejects `uses` values that are absolute paths or contain `..`, and verifies (via `filepath.Rel` after `filepath.Clean`) that the resolved target remains within the pipeline directory. As a workaround, only run `melange build` against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of `pipeline[].uses` values and reject any containing `..` or leading `/`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T23:58:39.668Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29050", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:38:30.604Z", "dateReserved": "2026-03-03T17:50:11.243Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T23:58:39.668Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chainguard:melange:*:*:*:*:*:go:*:*", "matchCriteriaId": "3E8363CF-5AF6-4FD7-A491-5D3E8E1F3576", "versionEndExcluding": "0.43.4", "versionStartIncluding": "0.32.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file \u2014 for example through pull-request-driven CI or build-as-a-service scenarios \u2014 could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compile.go` passed `uses` directly to `filepath.Join(pipelineDir, uses + \".yaml\")` without validating the value, so the resolved path could escape each `--pipeline-dir` and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its `runs:` block is executed via `/bin/sh -c` in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition. The issue is fixed in melange v0.43.4 via commit 5829ca4. The fix rejects `uses` values that are absolute paths or contain `..`, and verifies (via `filepath.Rel` after `filepath.Clean`) that the resolved target remains within the pipeline directory. As a workaround, only run `melange build` against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of `pipeline[].uses` values and reject any containing `..` or leading `/`."}], "id": "CVE-2026-29050", "lastModified": "2026-04-27T14:31:58.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T00:16:27.303", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-98f2-w9h9-7fp9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.32.0,0.43.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "melange", "source": "cna", "vendor": "chainguard-dev"}, "product": "melange", "vendor": "chainguard"}], "analysis": {"en": {"generated_at": "2026-04-28T07:12:45.400631+00:00", "value": {"mitigation_remediation": ["Upgrade melange to version 0.43.4 or newer, which rejects pipeline[].uses values that are absolute paths or contain \"..\" and ensures the resolved file remains within the pipeline directory.", "In environments where upgrading immediately is not feasible, run melange build only against configuration files from trusted sources and reject any that contain leading slashes or \"..\" sequences in pipeline[].uses before the build starts.", "In continuous\u2011integration systems that build user\u2011supplied melange configs, place a gate that requires manual review of the pipeline[].uses field and prohibits any values that trigger the directory\u2011traversal logic."], "summary": {"action": "Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in Chainguard Dev's melange from version 0.32.0 through 0.43.3. The affected product is the melange command\u2011line tool, which builds Android application packages using declarative pipelines.", "description_and_impact": "The vulnerability allows attackers who can influence a melange configuration file, such as in pull\u2011request\u2011driven continuous integration, to set the pipeline[].uses field to a value containing directory traversal or an absolute path. The build process interprets this value as a file name relative to the configured pipeline directory, which can be moved outside the intended directory using \"../\" sequences or an absolute path. The resulting file is parsed as a new pipeline definition and any commands listed in its runs block are executed via /bin/sh \u2013c in the build sandbox, giving the attacker the ability to run arbitrary shell commands in the build environment. This flaw is a classic directory traversal (CWE\u201122) that leads to remote code execution.", "risk_and_exploitability": "The CVSS score is 6.1, indicating moderate severity, and the EPSS score is <1%, suggesting a low probability of exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through construction of a malicious or tampered configuration file that is retrieved as part of a CI or build\u2011as\u2011a\u2011service workflow; once the configuration file is processed, the attacker can inject shell commands that run in the build sandbox."}}}}, "created": "2026-04-27T21:15:05.348743+00:00", "updated": "2026-04-28T07:15:19.379992+00:00", "vendors": ["chainguard", "chainguard$PRODUCT$melange"]}