Platform
nodejs
Component
gleam-lang/gleam
Fixed in
*
*
*
v1.15.4-elixir
v1.15.4-erlang
v1.15.4-node
v1.15.4-node-slim
v1.15.4-elixir-slim
v1.15.4-erlang-slim
v1.15.4-erlang-alpine
v1.15.4-elixir-alpine
v1.15.4-node-alpine
v1.15.4-scratch
CVE-2026-32146 represents an arbitrary file access vulnerability discovered in the Gleam Compiler. This flaw arises from insufficient validation of paths used when resolving git dependencies, enabling attackers to potentially modify files outside the intended dependency directory. Versions affected include 1.9.0-rc1 through v1.15.4-scratch; however, a fix has been released in v1.15.4-scratch.
CVE-2026-32146 in the Gleam compiler presents a file system modification vulnerability. This stems from improper path validation when handling Git dependencies. The compiler, during dependency resolution from gleam.toml and manifest.toml, incorporates dependency names into file system paths without sufficient validation. An attacker could leverage this by crafting dependency names containing relative path traversal sequences (e.g., ../) or absolute paths to target file system locations outside the intended dependency directory. The severity lies in the potential for an attacker to write files to unexpected locations, potentially compromising system integrity or enabling malicious code execution. While no active exploitation has been reported, the nature of the vulnerability poses a significant risk.
The vulnerability manifests during the Git dependency resolution phase within the Gleam compiler. An attacker could influence the name of a dependency (either directly or through a transitive dependency) to include malicious path traversal sequences. For example, a dependency name like ../../../../etc/passwd could allow the attacker to write to the /etc/passwd file, potentially compromising system security. Exploitation requires the attacker to have the ability to control or influence the dependency names used in the Gleam project. The lack of robust path validation allows these malicious names to be used to construct arbitrary file paths.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The solution to this vulnerability is to upgrade to Gleam compiler version 1.15.4-scratch. This version includes improved path validation that prevents attackers from manipulating file paths during dependency downloads. Immediate upgrading is strongly recommended to mitigate the risk. Additionally, review dependencies used in Gleam projects to ensure no malicious dependency names are being utilized. Monitoring system logs for unusual activity related to the dependency download process can also aid in detecting potential exploitation attempts. The upgrade is the most critical preventative measure.
Actualice a la versión 1.15.5 o superior para mitigar la vulnerabilidad. Esta actualización corrige la validación incorrecta de la ruta, evitando la modificación arbitraria del sistema de archivos durante la descarga de dependencias de Git.
Vulnerability analysis and critical alerts directly to your inbox.
Gleam is a functional programming language that compiles to Erlang, designed for building scalable and fault-tolerant applications.
Updating to version 1.15.4-scratch fixes a security vulnerability that could allow arbitrary file system modification.
Use the appropriate package manager for your operating system (e.g., npm, cargo, mix) to upgrade to version 1.15.4-scratch.
Review system logs for unusual activity and consider performing a comprehensive security analysis.
Review the dependencies used in your Gleam projects and ensure no malicious dependency names are being utilized.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.