Platform
go
Component
github.com/zarf-dev/zarf
Fixed in
0.54.1
0.73.1
CVE-2026-29064 describes a symlink vulnerability within Zarf, a tool for deploying Kubernetes applications. This flaw allows an attacker to manipulate symbolic links within archives, potentially enabling them to write files outside the intended destination directory. Versions of Zarf prior to 0.73.1 are affected, and a fix has been released in version 0.73.1.
The core of this vulnerability lies in Zarf's insufficient validation of symlink targets within archives. An attacker could craft a malicious archive containing symlinks that, when extracted, would overwrite or create files in unexpected locations on the system. This could lead to arbitrary code execution if the attacker can control the content of the archive and the target system has appropriate permissions. The potential impact extends beyond simple file modification; a successful exploit could allow an attacker to compromise the entire Kubernetes cluster managed by Zarf, leading to data breaches, denial of service, or complete system takeover. This vulnerability is particularly concerning given Zarf's role in deploying and managing applications within Kubernetes environments.
CVE-2026-29064 was publicly disclosed on 2026-03-10. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog. Given the potential for arbitrary code execution, it is crucial to prioritize remediation.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-29064 is to immediately upgrade Zarf to version 0.73.1 or later. This version includes the necessary validation checks to prevent the exploitation of symlink targets. If upgrading is not immediately feasible, consider restricting write access to the Zarf deployment directory to only authorized users and processes. Implement strict file integrity monitoring to detect any unauthorized modifications. While not a complete solution, these measures can reduce the attack surface and provide early warning signs of compromise. After upgrading, verify the fix by attempting to extract a known malicious archive containing symlink exploits and confirming that the extraction fails with an appropriate error message.
Update Zarf to version 0.73.1 or higher. This version fixes the path traversal vulnerability in archive extraction, preventing the creation of symbolic links outside the destination directory.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29064 is a high-severity vulnerability in Zarf affecting versions prior to 0.73.1. It allows attackers to manipulate symbolic links within archives, potentially leading to arbitrary code execution.
You are affected if you are using Zarf versions 0.73.0 or earlier. Upgrade to version 0.73.1 or later to resolve this vulnerability.
Upgrade Zarf to version 0.73.1 or later. This version includes the necessary validation checks to prevent the exploitation of symlink targets.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants immediate attention and remediation.
Refer to the official Zarf project repository and release notes for the latest information and advisory regarding CVE-2026-29064.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.