Plattform
go
Komponente
github.com/treeverse/lakefs
Behoben in
1.77.1
1.77.0
CVE-2026-26187 is a Path Traversal vulnerability discovered in lakeFS, a Git-like storage system for data lakes. This flaw allows attackers to bypass access controls and potentially access sensitive data or modify configurations outside of their intended scope. The vulnerability impacts versions of lakeFS before 1.77.0, and a patch has been released to address the issue.
The core of the vulnerability lies in the lakeFS local block adapter, which handles interactions with the underlying storage system. Due to insufficient validation of user-supplied paths, an attacker can craft malicious requests containing path traversal sequences (e.g., ../..) to navigate outside of the intended directory structure. This allows them to access files and directories they should not have access to, potentially including sensitive configuration files, data belonging to other users or namespaces, or even system files. The potential impact ranges from information disclosure to arbitrary file manipulation, depending on the permissions of the affected user and the accessibility of the targeted files. Successful exploitation could lead to a complete compromise of the lakeFS instance and the data it manages.
CVE-2026-26187 was publicly disclosed on 2026-02-17. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog. The vulnerability's impact is amplified by the increasing adoption of data lake technologies and the sensitivity of the data they often contain.
Organizations using lakeFS for data lake management, particularly those with multi-tenant deployments or shared namespaces, are at increased risk. Legacy lakeFS configurations with relaxed access controls are also more vulnerable. Teams relying on lakeFS for sensitive data storage should prioritize patching.
• go / application: Inspect lakeFS configuration files for unusual path entries. Monitor lakeFS logs for suspicious file access attempts, particularly those involving .. sequences.
find /opt/lakefs/ -path "*/..*" -print• generic web: Monitor access logs for requests containing path traversal sequences (e.g., ../../../../etc/passwd).
• generic web: Check response headers for unexpected file disclosures.
• generic web: Use curl to probe for directory traversal:
curl -v 'http://your-lakefs-instance/../../../../etc/passwd' 2>&1 | grep 'HTTP/1.1 200 OK'disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-26187 is to upgrade to lakeFS version 1.77.0 or later, which includes the necessary fixes to prevent path traversal. If upgrading immediately is not feasible, consider implementing stricter access controls and file system permissions to limit the potential damage from a successful attack. While not a complete solution, a Web Application Firewall (WAF) configured to block requests containing suspicious path traversal sequences can provide an additional layer of defense. Regularly review and audit lakeFS configurations to ensure they adhere to security best practices.
Actualice lakeFS a la versión 1.77.0 o superior. Esta versión corrige la vulnerabilidad de path traversal en el adaptador de bloques local, impidiendo el acceso no autorizado a archivos fuera de los límites de almacenamiento designados. La actualización asegura que las rutas solicitadas se validen correctamente y que los identificadores de objetos permanezcan dentro de sus namespaces designados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-26187 is a Path Traversal vulnerability in lakeFS versions before 1.77.0, allowing unauthorized access to files and directories.
You are affected if you are running lakeFS versions prior to 1.77.0. Check your lakeFS version and upgrade immediately if necessary.
Upgrade to lakeFS version 1.77.0 or later to patch the vulnerability. Consider stricter access controls as an interim measure.
There are currently no confirmed reports of active exploitation, but the vulnerability is considered exploitable.
Refer to the lakeFS security advisories on their official website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.