Platform
go
Component
github.com/treeverse/lakefs
Fixed in
1.77.1
1.77.0
CVE-2026-26187 is a Path Traversal vulnerability discovered in lakeFS, a Git-like storage system for data lakes. This flaw allows attackers to bypass access controls and potentially access sensitive data or modify configurations outside of their intended scope. The vulnerability impacts versions of lakeFS before 1.77.0, and a patch has been released to address the issue.
The core of this vulnerability lies in the local block adapter within lakeFS. Due to insufficient validation of user-supplied paths, an attacker can craft malicious requests that traverse outside of the intended directory structure. This allows them to access files and directories they should not have access to, potentially including those belonging to other namespaces or sibling directories. The impact can range from information disclosure (reading sensitive configuration files or data) to unauthorized modification of data or even gaining control over parts of the lakeFS instance. A successful exploitation could lead to significant data breaches and compromise the integrity of the data lake.
CVE-2026-26187 was publicly disclosed on 2026-02-17. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The KEV status is pending evaluation. While no proof-of-concept code is publicly available, the path traversal nature of the vulnerability suggests that exploitation is likely possible with moderate effort.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26187 is to upgrade to lakeFS version 1.77.0 or later, which includes the necessary fixes to prevent path traversal. If an immediate upgrade is not feasible, consider implementing stricter access controls and network segmentation to limit the potential blast radius of a successful attack. Review and harden the local block adapter configuration, ensuring that only authorized users and processes have access. While a WAF might offer some protection, it's not a substitute for patching the underlying vulnerability.
Update lakeFS to version 1.77.0 or higher. This version fixes the path traversal vulnerability in the local block adapter, preventing unauthorized access to files outside of the designated storage boundaries. The update ensures that requested paths are correctly validated and that object identifiers remain within their designated namespaces.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26187 is a Path Traversal vulnerability in lakeFS versions before 1.77.0, allowing unauthorized access to files and directories.
You are affected if you are running lakeFS versions prior to 1.77.0. Check your lakeFS version and upgrade immediately if necessary.
Upgrade to lakeFS version 1.77.0 or later to patch the vulnerability. Consider stricter access controls as an interim measure.
There are currently no confirmed reports of active exploitation, but the vulnerability is considered exploitable.
Refer to the lakeFS security advisories on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.